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Preface 


This book closes a gap as there is no literature currently in circulation that specifi¬ 
cally addresses risk management issues in the aviation industry. The aim of this 
book is to show the theoretical background and implementation phases of a 
multifaceted risk management system, to gain a gradation for smaller operators 
who do not have the complexity of large operators for whom the system was 
initially developed. This approach illustrates the leeway available to adapt pro¬ 
cesses and reveals the interfaces between risk management and safety management. 
The book describes how to approach corporate risk management, with reasonable 
effort, appropriate to the size and complexity of the specific operator. It provides an 
idea of what the key considerations are and how to effectively operate such a system 
with the various interfaces. Furthermore, it provides an indication about the time 
investment needed in the set-up and the continuous process of corporate risk 
management from a cost and benefit perspective. Specifically, a safety management 
system (SMS), fatigue risk management and air traffic control risks are provided as 
specific practical cases of risk management. 

An empirical study shows the level of implementation of corporate risk man¬ 
agement in the aviation industry in practice. Based on the comparison of theory and 
practice, and the knowledge provided by the empirical study, different checklists 
and samples for the optimization of risk management are provided. Documents 
illustrating risk policy, the job description of a risk manager, a questionnaire for an 
SMS gap analysis, emergency director checklist, master risk list, hazard reporting 
procedure, air safety report, safety manager evaluation sheet, SWANS report, etc. 
are provided in appendices for the particular chapters. Furthermore, a time/cost 
table for the implementation and continuous development of corporate risk man¬ 
agement is included. 

This book addresses all actors in the aviation industry, such as aviation 
companies, consultants, and educators. It provides the opportunity for all actors 
to build and optimize their risk management systems/procedures. For the strategic 
management level, this publication makes clear why risk management has to be 
established as a culture in a company and must be fully supported by top 
management. 

Finally we would like to thank everyone who supported us during the process of 
writing this book, especially the authors Ernst Kohler, Stefan Becker and Heinz 
Wipf who provided additional content. Furthermore, many thanks go to Nicole 
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Preface 


Denk who helped with translations and supported us administratively, and to David 
Roberts who supported us with the final editing. We are grateful for all the support 
we have received and which helped to finalize this book that fills a void in the 
current literature. 

Sankt Gallen, Switzerland Roland Muller 

Lorsch, Germany Andreas Wittmer 

January 2014 Christopher Drax 
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Andreas Wittmer 


The aviation industry faces a variety of risks. For this reason, risk management is 
self-evident in this industry. But the aviation industry also faces a greater density of 
regulations concerning risk management than other industries. For example, the 
implementation of internal control systems (ICS) and safety management systems 
(SMS) are often required depending on specific activities, complexity and size of 
the company. The International Civil Aviation Organization’s (ICAO’s) decision to 
require aviation organizations to adopt safety management systems (SMS) has 
clearly focused attention on the concept of SMS. These requirements for safety 
and risk management represent a huge problem, especially for small and medium 
sized aviation companies because the majority is not able to appropriately deal with 
the subject in order to gain advantages. The different systems are interrelated and 
should be linked to the culture of companies. In fact, aviation companies need to 
have risk management as a core competence if they want to operate according to 
regulations and remain sustainable in the market. 

Part I: Introduction The introduction provides the reader with the background 
and the motivation of the authors to write about the topic of risk and safety 
management in aviation. The objective and methodological approach are explained, 
with all the relevant definitions, to build the scientific basis for the further under¬ 
standing of the topic. Furthermore, the introduction outlines the limitations of the 
book to define the scope of the following chapters. 

Part II: Theoretical Background of Risk and Safety Management Part II 
provides theoretical background on risk and safety management. It deals with the 
necessity to develop risk management and internal control systems, as well as 
highlighting the importance of implementation and a continuous risk management 
process. The costs and benefits of risk management reveal major differences in the 
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different implementation efforts based on the complexity and size of individual 
companies. It demonstrates that the implementation of risk management is also 
possible for small companies; although the cost of maintaining an effective risk 
culture does influence the sustainable development of a small company more than it 
does a big one. The check list and files in the appendix should help small companies 
especially to implement risk management with limited costs. 

Operational risk management is an integrated part of safety management 
systems which have an impact on corporate governance and internal control 
systems in organizations. 

Part III: Practical Implications of Risk and Safety Management An empirical 
study analyses the level of risk and safety management implementation in the 
aviation industry. The analysis of the survey shows that almost half of the 
respondents were from organizations with a workforce greater than 500 employees. 
Small firms with less than 50 employees were underrepresented with only 15%. 
However, this is still a very interesting segment to study as most of the regulations 
are developed specifically for larger organizations, and small organizations are 
increasingly struggling with the implementation and monitoring of regulatory 
compliant management systems. 

Risk management in air traffic control highlights how operators deal with risks 
and their consequences, such as accidents. In an aviation transport system value 
chain, it can be argued whether every entity has to perform risk management in its 
safety activities. Instead, it is proposed first to analyze where the risk bearers are 
located. 

There is evidence that the aircraft operator bears the final risks. Although other 
entities like airports and air navigation service providers are part of a hazardous 
operation, they have a limited impact on the exposure to safety risks. They suffer 
only limited effects from safety risk. It is therefore necessary for the aircraft 
operator to have a risk-based safety management system. Risk assessment is part 
of risk management and should be done only by the most influential entity, while 
still collaborating with the other entities that support the addressed flight operation. 
The need and necessity to assess the risk of flights seem best to remain with the 
operator. This is because it seems to be the only entity that can predetermine the 
scenarios, estimate convoluted likelihoods and control incurred damages and losses 
when deciding on the type of aircraft to be used. The influence of the other entities 
on likelihood, damage and loss are unevenly allocated. 

The case of fatigue risk management is addressed by a risk assessment study. 
When implementing a company-wide safety culture and the related programs, 
managers or supervisors form an integrative link between the senior management 
and the employees. Corporate culture is the sum of the behavior, habits, shared 
history and anticipated future within a company. Supervisors are correspondingly 
important, as they act as role models who uphold the corporate culture in the 
various spheres on a day-to-day basis. It is essential that they are aware of the 
key role they play, and that they carry it out voluntarily. Otherwise, they fail to 
come across as authentic and are thus more likely to damage a healthy safety culture 
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than enhance it. Supervisors should also integrate the fatigue factor into their daily 
mission discussions, in order to regularly address the problems involved. Changes 
may need to be made to the duty roster to prevent acute or cumulative sleep debt or 
other fatigue-promoting factors. For this purpose, superiors are continually 
informed about new findings gained from the Fatigue Risk Management process 
and also involved in further developing company-wide anti-fatigue programs, for 
which they can draw on their everyday experience. Finally, two aircraft accident 
investigation cases highlight the importance of continuous risk and safety manage¬ 
ment in practices. 

Part IV: Implementation and Optimization of Risk and Safety 
Management Part IV deals with implementation and optimization of established 
risk and safety management and adds four phases, namely “organization”, “risk 
collection and assessment”, “risk mitigation” and “continuous improvement and 
change management”. A general problem within the SMS literature is that the 
majority of implementation structures and recommendations are tailored to large 
enterprises. When following these plans, an enterprise might take months until they 
come to the point where they can start identifying their first risks. Our philosophy is 
to immediately start with the collection of risks in order to gain an overview of the 
main risks an organization is facing and to work on mitigating them as soon as 
possible. We therefore compressed the following implementation structure down to 
the essentials to quickly move to risk collection. The following SMS implementa¬ 
tion process is divided into four different phases to split up the workload and to 
provide a convenient structure to follow when implementing the safety manage¬ 
ment system. The time horizon of four years should also allow the adjustment of the 
culture within a company in order to create a positive safety culture. Each 
corresponding SMS topic will be addressed in this chapter with a brief explanation 
including the required deliverables. Thus, Part V provides tools as practical 
examples and guidance for the implementation. 

Appendices The appendices in the different chapters provide check-lists and 
documents which can be used directly by companies implementing and optimizing 
their risk and safety management. The following documents are provided: 

• Sample risk manager job description 

• Types of risk 

• Accident definitions 

• Joint probability distribution of aircraft weight and total fatalities 

• Decision layer and influence 

• Kinetic and chemical potential energy of aircraft 

• SMS gap analysis 

• Sample safety policy 

• Master risk list examples 

• ASR/hazard reporting procedure 

• Sample air safety report 

• Safety manager evaluation sheet 




4 


A. Wittmer 


• SWANS report 

• ERP checklist emergency director 

• Individual risk assessment example 

• Risk management policy 

• Steps in assessing risk 

• Glossary 

• Insurance review 
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Introduction 
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2.1 Background 

To improve the currently existing levels of aviation safety, especially when consid¬ 
ering the continuing growth of the industry, additional measures are required. One 
such measure is to encourage individual aircraft operators to introduce their own 
safety management system. Such a safety management system is as important to 
business survival as a financial management system and should be regarded as the 
core value and process of a company. One of the main purposes of an SMS is to 
improve the safety performance, and therefore reduce exposure to the risk of having 
an accident or suffering bankruptcy. 

The implementation of a safety management system should lead to an overall 
improvement of the processes of a company, and should contribute to one of civil 
aviation’s key business goals: enhanced safety performance, aiming at best 
practices and moving beyond full compliance with regulatory requirements. 

With Amendment 30 to ICAO Annex 6 Part I, the International Civil Aviation 
Organization introduced requirements for air operators to implement an acceptable 
safety management system. This obligation is similar to EC 8/2008 EU OPS 
1 paragraph 1.037 which requires the establishment and maintenance of an accident 
prevention and flight safety program in order to improve aviation safety. 

Another crucial part of risk management, namely security, is defined in regula¬ 
tion (EC) No 300/2008 of the European Parliament and of Council of 11 March 
2008 on common rules in the field of civil aviation security. In order to be more 
flexible in addressing evolving risk assessments, adopting security measures and 
processes and to introduce new technologies in the civil aviation framework, this 
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Fig. 2.1 Risk management 
components. Source : Own 
illustration 


Strategy 


Safety 



regulation was designed to illustrate the basic principles of what has to be done in 
order to safeguard civil aviation against acts of unlawful interference without going 
into the technical and procedural details of how they are to be implemented. 1 

Although many companies and operators already use a form of safety/risk 
management, this is often a long way from being designed effectively. Often 
operators restrict themselves to risks on the operational level, or risk management 
is considered only as prevention management. Risk management has to cover all 
company areas and has to be communicated across all business functions in order to 
be effective (Fig. 2.1). 

There are many aviation companies that have extremely good safety records 
while still operating with risky behavior characteristics or inadequate organiza¬ 
tional structures. Fortunately, they have just not had an accident yet. However, a 
good safety record does not guarantee future safety—a fact that is yet not clearly 
understood by the various aviation stakeholders. Safety does not happen by chance. 

In addition, small aircraft operators lack the required resources and knowledge 
to implement an effective, integrated management system into their business 
processes. 

Sample checklists and guidance material (provided in this book) should serve as 
a guideline for an appropriate way of dealing with the implementation of a 
suitable SMS. 


2.2 Objective of the Book 

The objective of the book focuses on the illustration of several aspects of safety and 
risk management. 


1 European Union (2008). 
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First of all the necessary scientific basis has to be explained in order to gain an 
understanding of the examined subject. In relation to this, the interdisciplinary 
aspects of international regulations and organizational requirements are explained. 

The regulatory basics and requirements are demonstrated in a theoretical way in 
order to build the foundation for a practical approach. It should serve as a guide to 
how an organization, affected by safety management system requirements, can 
adapt to the regulations in a size-appropriate manner and with a corresponding 
suitable approach, in order to implement a safety management system in practice. 

A further objective is to highlight that safety and risk management are essential 
parts of an organization and vital for day to day business. 

Finally, it demonstrates how safety management can be implemented by the 
various aviation stakeholders. Samples and checklists serve as the guideline for a 
basic SMS implementation. 


2.3 Methodology 

The methodological approach of the authors can be explained as follows: 

1. Evaluation of the existing literature on the subject risk management and safety 
management systems 

2. Analysis of studies and reports 

3. Results from a survey about risk management 

4. Experience based on past implementation projects and seminars 

5. Development of specific tools based on (solutions to) practical problems 

The different disciplinary backgrounds of the authors have repeatedly led to 
exciting discussions during the preparation of the book. It became clear that the 
issues about risk management and safety management systems can only be usefully 
worked on in practice when different perspectives are taken on board, and if they 
are consciously applied in an aviation context. 

The introductory chapter indicates which concepts for the in-depth understand¬ 
ing of safety management systems and risk management are essential, and how they 
are/should be interpreted. Definitions provide the foundation for further reading. 

Part II provides the theoretical background of risk and safety management. In 
detail, it combines the scientific basis of regulatory requirements and basic law on 
the one hand and, on the other hand, creates a basis for the understanding of the 
subject. In relation to this, the relevant legal, management and aviation specific 
literature is incorporated. 

Part III explains the practical implications of risk and safety management. Due 
to this, a survey was conducted and the results have been evaluated to illuminate 
current trends. The chapter closes with two aircraft accident examples. 

Part IV deals with the concrete, practical implementation and optimization of the 
previously explained theoretical models concerning safety and risk management 
approaches. Therefore, it explains the most important implementation steps in four 
different phases with specific, practical examples. 
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Part V includes appendices with checklists and samples for implementation. 
They should serve as guidance material for planning and implementing a SMS. 
Furthermore, the samples can be enhanced and adapted to each organizational need. 


2.4 Definitions 

Below, the most important concepts are explained to serve as a basis of understand¬ 
ing for the following content. 


2.4.1 Hazard 

A hazard is a condition or an object with the potential of causing injuries to personnel, 
damage to equipment or structures, loss of material, or reduction of ability to perform a 
prescribed function. 2 

Looking at an example from the ICAO Safety Management Manual, will make it 
clear how a hazard should be understood. 

Consider, for example, wind, a normal component of the natural environment. 
Wind is a hazard: A fifteen-knot wind, by itself, does not necessarily hold potential 
for damage during aviation operations. In fact, a fifteen-knot wind blowing directly 
down the runway will contribute to improving aircraft performance during depar¬ 
ture. However, when a wind blows at fifteen knots across a runway used for 
intended take-off or landing, it becomes a crosswind. It is only then, when the 
hazard interfaces with the operations of the system (take-off or landing of an 
aircraft) aimed at service delivery (the need to transport passengers or cargo to/from 
the particular aerodrome while meeting a schedule) that its potential for damage 
becomes a safety concern (a lateral runway excursion because the pilot may not be 
able to control the aircraft as a consequence of the cross wind). 

A hazard should not necessarily be considered as a “bad thing” or something 
with a negative connotation. Hazards are an integral part of operational contexts, 
and their consequences can be addressed through various mitigation strategies to 
contain the hazard’s damaging potential. Hazards can be divided into three different 
sub categories and can be found in all operational, natural and maintenance aspects 
which have a direct influence on aircraft operations and have the potential to cause 
harm. Therefore, it is of high importance to identify those hazards and keep them 
controlled. 3 

The three categories are classified as follows: 

Natural hazards can be described as an unforeseen or uncontrollable natural 
event of unusual intensity which has a negative effect or possibly threatens a safe 
aircraft operation. Natural hazards are classified as severe weather and climatic 


2 Stolzer, Halford, and Goglia (2008), p. 26. 

3 International Civil Aviation Organization (ICAO) (2013), pp. 2-25. 
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events, adverse weather conditions, geophysical events, geographical 
conditions, environmental events and public health events. 4 
Economic hazards can occur at any time within an organization, whether it is 
currently in a growth period or suffering from a recession. During growth 
periods, organization and safety is lacking behind the operations, while during 
a recession a company tries to reduce costs and wants to avoid wasting money, 
especially on costs for material and equipment. Therefore, sacrifices towards 
safety might be accepted to save costs. 5 

Technical hazards, in general, perpetuate in all maintenance and operational 
environments where humans interact with technological systems. Some 
examples where technical hazards might occur are in the operational environ¬ 
ment with aircraft and aircraft components, systems, subsystems and 
corresponding equipment. 6 


2.4.2 Safety Risk 

Risks are disruptions resulting from the unpredictability of the future caused by 
accidental derogation possibilities of planned targets. Therefore, talking about risks 
also means the dispersion around an expected value. 

The assessment, expressed in terms of predicted probability and severity, of the conse- 

quence(s) of a hazard taking as reference the worst foreseeable situation. 7 

This statement is the official definition of safety risk by ICAO; it takes 
into consideration the identified hazard and classifies it into two categories— 
“probability” and “severity”. The term “safety risk” is the continuance of a hazard 
in terms of a scenario that follows due to accepting the hazard. Since it is not only of 
importance to identify hazards and then engage a mitigation process, it is also 
“necessary to evaluate the seriousness of consequences, so as to define priorities 
for the allocation of resources when proposing mitigation strategies”. 8 A hazard 
is only the condition or circumstance that can lead to physical damage or loss. It is 
not to be confused with the associated safety risks. For example, an obstacle at 
the end of a runway composes a hazard. This obstacle could lead to at least three 
safety risks. The first safety risk would be that an aircraft might hit the 
obstacle while landing or taking off. The second safety risk would be that the 
pilot knows the obstacle is there and may carry out a steeper approach than normal, 
in order to avoid the obstacle and arrive at the end of the runway “hot and high”, 
continue with the landing and overrun the runway. A third safety risk could be 


4 International Civil Aviation Organisation (ICAO) (2009), pp. 4-3. 

5 International Civil Aviation Organisation (ICAO) (2009), pp. 4-4. 

6 International Civil Aviation Organisation (ICAO) (2009), pp. 4-4. 

7 International Civil Aviation Organization (ICAO) (2013), p. 5-ii. 

8 International Civil Aviation Organisation (ICAO) (2009), p. 5. 
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that the pilot in the second scenario recognizes that he or she is “hot and high” 
and executes a “go around”. In order to know the outcome of the hazard, where 
this might lead and what actions need to be taken, the safety risk has to be assessed. 
This is done by classifying the safety risk into two categories 9 —probability and 
severity. 10 


2.4.3 Risk Management 

Risk management is generally understood as the holistic process involved in 
recognizing possible risks, and the measures undertaken to reduce and monitor 
them. It thus comprises a modular cycle of communication, documentation, control, 
early warning mechanisms, and advancement. 

This general definition of risk management as a comprehensive process can be 
further concretized: 

Risk Management means the permanent and systematic recording of all kinds of risks with 
regard to the existence and the development of the enterprise. It involves analyzing and 
prioritizing recognized risks as well as defining and implementing adequate strategic or 
surgical measures to minimize non-tolerable risks. * 11 

In this definition, the following important elements are united in connection with 
risk management: 

• Risk management comprises not only a unique action, but a steady process 
which must be implemented in the enterprise. 

• In order to not merely recognize the obvious risks, a structured procedure, aimed 
at investigating and listing all risks within all ranges, is necessary. 

• Each risk is to be judged individually and to be evaluated by the same yardsticks 
to establish interconnections as regards the degree and kind of risk potential 
involved. 

• Within the scope of its risk policy, company management has to decide which 
risks must be accepted, avoided or managed on the basis of their consequences 
and the suitable measures that would need to be undertaken. 

• The logical conversion of agreed strategic or mitigation measures to manage or 
reduce potential risks. 

• And finally, risk management can only be successful if newly emerging risks and 
claims are communicated in a standard form on all enterprise levels (so-called 
Risk Reporting) and if a suitable organization exists to ensure on-going process 
optimization (so-called Risk Controlling). 


9 According to the Safety Management Manual (SMM) of the ICAO. 

10 International Civil Aviation Organisation (ICAO) (2009), pp. 5-2-8. 

11 Wittmer, Bieger, and Muller (2011). 
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2.4.4 Operational Risk Management 

Operational risk is defined by the Basel Committee as “The risk of loss resulting 
from inadequate or failed internal processes, people and systems or from external 
events”. Operational risk management and line management together assess and 
monitor these risks and prepare risk mitigating strategies and actions. The Business 
Continuity Plan is a response prepared to react to a subset of operational risks, 
defined by the scope and size of events: The focus of Business Continuity Manage¬ 
ment is not on risks to the core-business objectives, but on external risks that lie 
outside the competencies of the business and cause significant business disruption 
that might threaten the survival of the company. 


2.4.5 Risk Appetite 

“Risk appetite is the amount of risk, on a broad level, an organization is willing to 
accept in pursuit of value. Each organization pursues various objectives to add 
value and should broadly understand the risk it is willing to undertake in doing 
so .” 12 No organization can achieve its objectives without taking risks but the level 
and amount of risks an organisation has to take, cannot be clearly specified. The 
biggest challenge is to manage the taken risks continuously . 13 


2.4.6 Risk Mitigation 

Risk mitigation is the process of lowering a risk to a level which is as low as 
reasonably practical . 14 Risks have to be identified and classified in order to develop 
and apply the right mitigation measures. The process of risk mitigation makes it 
possible for air operators to accept certain risks in daily operations and classify 
them according to company policies and procedures. It ensures that changes or new 
situations are assessed according to their safety significance, and classifies them 
according to their safety severity. Risk mitigation measures often incorporate a cost 
benefit analysis. This analysis has to determine whether risk mitigation makes 
economic sense, or whether the organization has to accept the risk, or if it has to 
cancel the operation. 


12 Rittenberg and Martens (2012). 

13 The Institute of Risk Management (201 1). 

14 International Civil Aviation Organisation (ICAO) (2009). 
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2.4.7 Safety 

The term safety has different meanings and depends on perspective and context. 
The International Civil Aviation Organization (ICAO) considers safety as: 

The state in which the risk to harm to persons or damage to property is reduced to, and 
maintained at or below, an acceptable level through a continuing process of hazard 
identification and risk management. 15 

Often, safety is understood as the condition of zero incidents. When being 
familiar with the hazardous environment in aviation, it becomes clear that the 
risk of incidents is always present. The question is not about how safe a company 
is, but more how safe a company wants to be and what measures have to be taken to 
reach this defined goal. Safety must be interpreted as a result of efficient review and 
management behavior of organizational processes, with the target to control safety 
risks and hazards in the operational environment. 


2.4.8 Safety Management System 

A safety management system can be described as a set of processes or components 
that combines operational and technical systems with financial and human resource 
management. Those processes are present in every activity of the aviation 
stakeholders. It is a methodical approach to safety with the focus on goal setting 
and a clear definition of accountability throughout the operator’s organization. The 
intention of a safety management system is to develop and sensitize the company 
away from a reactive to a proactive generative safety culture in order to identify 
hazards and possible incidents before they can occur. 

A SMS aims at continuous improvement to the overall level of safety while 
measuring performance, analyzing processes and becoming an integral part of the 
company’s business management activities and corporate culture. As a conse¬ 
quence, the implementation of a SMS requires processes which allow the control 
of safety risks and introduces the concept of the acceptable level of safety. 


2.4.9 Safety Culture 

An organization’s culture is defined by what the people do and which decisions they 
take. This reveals the basic values of an organization. A positive safety culture will 
move a company forward to a maximum achievable safety level, despite business 
cycles and times of recession where financial pressure is evident. A positive safety 
culture can be split into four different components: 


15 International Civil Aviation Organisation (ICAO) (2009). 
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• Informed culture: The people who manage the system have sufficient knowl¬ 
edge in all functional areas of human resources and maintenance, as well as 
environmental and organizational aspects which have a direct link to safety. 
They understand the hazards and risks involved in daily operations. 

• Reporting culture: The basis for a reporting culture is an atmosphere of trust, 
where people are encouraged to report their errors or near misses. Those reports 
provide essential information which can be used to avoid the same mistakes 
being repeated. 

• Just culture: Based on the reporting culture and understood as a ‘blame-free’ 
culture, employees are supported by providing essential safety related informa¬ 
tion. Furthermore, it is quite clear where the line is drawn between acceptable 
and unacceptable behavior, and when unsafe acts will call for disciplinary 
action. 

• Learning culture: A company must strive for constant improvement and must 
share the ‘lessons learned’ to draw the right conclusions from its safety manage¬ 
ment system. It possesses the willingness to challenge its basic assumptions and 
should change processes when inadequacies have been identified. 

Looking at the above mentioned characteristics, it becomes clear that it is not an 
easy task to establish a safety culture—it is more a development which takes time 
and commitment, and must be understood by everyone within an organization. 
Therefore, establishing a safety culture is one of the most challenging elements of a 
SMS. Creating a safety culture begins at the top level of an organization, with the 
incorporation of policies and procedures which establish a reporting culture (often 
also implied when referring to the term “just culture”). 

A safety culture is characterized by structures which allow safety-related infor¬ 
mation to be identified on all organizational levels and entered into a system 
empowered to correct and deal with these problems. 

In order to support a reporting culture, the organization must cultivate the 
willingness of its members to report errors. The organization has to make the 
commitment not to punish errors, as long as they are not reckless. Then these 
reports become valuable sources in the context of hazard identification and, more 
importantly, build the foundation for an effective SMS. 


2.5 Limitations 

There are some topics connected to risk management which are important but are 
not, or only briefly, discussed in the present work. The following list provides a 
brief overview of the limitations. 


2.5.1 Quality Management 

This book will not describe the differences between quality and safety management. 
We can only highlight that quality and safety management systems both have to be 
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planned and managed, as neither quality nor safety happen by chance. Quality 
systems do not investigate incidents or accidents for risk assessment. Quality 
systems audit the output of a process only in terms of variance, and make 
adjustments. A SMS investigates events, looking for contributing factors from all 
influencing sources. Both depend upon measurement and monitoring, and together 
they encompass every function, process and member of staff, while striving for 
continuous improvement. 


2.5.2 Emergency Response Planning 

In the context of risk and safety management, we don’t want to focus in detail on the 
development and implementation of emergency response planning and crisis man¬ 
agement. We aim to focus more on proactive and preventive measures in order to 
prevent crisis scenarios. 


2.5.3 Corporate Risk Management 

The book does not focus on Corporate Risk Management or owner (leasing) risks. 
We will only partially describe corporate governance, with our focal point on the 
management level. 


2.5.4 Aircraft Development and Testing Activities 

All development activities for aerospace products including specific verification 
and validation, monitoring, measuring and testing activities, and product accep¬ 
tance criteria are excluded in this version. In relation to this, there is no focus on 
FMEA or any other design and development related processes. 


2.5.5 Actuarial Calculation of Risks for Insurances 

Insurances are an important tool for hedging and the passing-on of risks. Companies 
with well-developed risk management gain cheaper access to capital; additionally, 
they can also negotiate favorable deals or reduced premiums with insurance 
providers. This is indeed an important development as risk management now 
makes direct financial sense, contradicting the belief of many skeptics who felt 
risk management was just a cost center and a bureaucratic exercise . 16 Furthermore, 
risk management has a high priority in the insurance industry and is a basic service 
for the insured company. The main application of insurances, from a business 


16 Kalia and Muller (2006). 
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perspective, is the protection of property, plant and equipment, along with material 
items of current assets, and the consequential damages resulting from the loss of 
operational capabilities. In addition, liability insurance which covers third party 
damage, personal injury claims, property damage and financial loss are further 
services by insurance companies . 17 Despite the importance of insurance, further 
analysis on how to calculate insurance risks is not directly relevant to the main 
themes of this book. 
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Every company faces different types of risks. Unfortunately, risks are often 
detected too late, so neither sufficient time nor adequate measures are available to 
prevent damage resulting from the realization of the risk potential. To prevent this, 
farsighted management seeks to identify potential risks and, where possible, to 
minimize the most dangerous ones for the company through appropriate strategic 
and operational measures. Therefore, consciously or unconsciously, each organiza¬ 
tional management applies Risk Management. In fact, Risk Management is an 
inalienable and indefeasible duty of the Board of Directors. The Swiss code of 
obligations specifies in Article 716a under no. 1 that the direction of the organiza¬ 
tion is necessarily assigned to the board. 

This includes the duty to avoid unnecessary risks and to minimize unavoidable 
risks to ensure the existence and further development of the company. As a 
consequence of the amendment of the Limited Liability Company Law of 
1.1.2008, 1 the annex to the financial statements must state information about the 
implementation of a risk assessment. 

If the risk assessment and risk mitigation is to be more than an occasional and 
coincidental event, the organizational structures, responsible personnel and the 
applicable processes have to be defined. In order to compare the efficiency of 
Risk Management between different companies, a certain standardization of the 
following points is necessary 2 : 


1 Also Article 663b OR is added that according to No. 12. 

2 AIRMIC, ALARM, and IRM (2002). 
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• Terminology related to the words used 

• Risk management process 

• Organizational structure for Risk Management 

• Objectives of Risk Management 

Such a risk management standard was created in England after extensive 
consultations with various professional associations such as the Institute of Risk 
Management (IRM), 3 the Association of Insurance and Risk Managers (AIRMIC) 4 
and the National Forum for Risk Management in the Public Sector (ALARM). 5 

The Federation of European Risk Management Association (FERMA) is trying 
to implement this standard in practice, so that organizations and companies can 
measure themselves against it. Where applicable, the definitions of the International 
Standard Organization (ISO) will be used. 


3.1 Importance of Risk Management 

Risk is considered as an essential element of strategic management and is currently 
discussed in many empirical industry studies and is prominent in connection with 
firm and business unit performance. Especially in times of crisis, the strategic 
importance of Risk Management becomes quite clear. The massive increase in 
forecast uncertainty leads to a competitive advantage for companies that can 
interpret and manage risks better than others. As companies are usually only able 
to achieve higher returns by simultaneously taking additional risks, Risk Manage¬ 
ment in particular has to decide what kinds of risks are acceptable for an organiza¬ 
tion. 6 Ruefli et al. argued that we lack a generally accepted model of strategic risk 
taking which is based on the various connections within firms and the interplay 
among decision makers, organizational processes, and market and industry factors 
that have an influence on the judgment of risk and strategic risk taking in an 
organized way. 7 

Strategic Risk Management can be described as a process for identifying, 
assessing and managing risk anywhere in the strategy, with the goal of protecting 
and creating shareholder and stakeholder value. Strategic Risk Management is the 
primary component and basis of enterprise Risk Management and is affected by 
boards of directors, management and others. A strategic view of risk is required in 
order to understand how external and internal events or scenarios will affect an 
organization in the pursuit of reaching its strategic objectives. Furthermore, 


3 The Institute of Risk Management, Lloyd’s Avenue 6, London EC3N 3AX, www.theirm.org. 

4 The association of Insurance and Risk Managers, Lloyd’s Avenue 6, London EC3N3AX, www. 
airmic.com. 

5 The National Forum for Risk Management in the Public Sector, Queens Drive, Exmouth, Devon 
EX8 2AY, www.alarm-uk.com. 

6 Speckbacher, Asel, and Posch (2010). 

7 Ruefli, Collins, and Lacugna (1999). 
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Strategic Risk Management can only work if an organization defines tolerable 
levels of risk, or risk appetite, as a guide for strategic decision making. Finally, it 
is an ongoing process which needs to be embedded in strategy definition and 
strategic management. 8 The current financial and economic crisis has put financial 
management and controlling in affected companies under intense pressure. Plans 
and budgets abruptly lost their basis and companies had to deal with unexpected 
and completely new scenarios. While performance management, value generation 
and growth for many businesses had, for decades, stood in the foreground, the focus 
shifted suddenly towards Risk Management, liquidity assurance and business 
preservation. Emphasis is now placed on increased communication, particularly 
relating to the desired handling of risks. The focus is on the creation of awareness 
for company-wide, acceptable risks, as well as on what kind of risks are unaccept¬ 
able and have to be avoided. In connection with this, the link between risk and 
performance has to be communicated to the employees in order to achieve aware¬ 
ness of that specific interdependency. In this context, the aspect of trust plays an 
important role. 9 

In addition to Ruefli et al., Frigo and Anderson also argued that Strategic Risk 
Management is still a relatively undeveloped activity in many companies, and that 
managers are reluctant to invest in risk functions. Even though Risk Management has 
become quite prominent in many companies, no significant financial investment has 
been made during recent years. The study further revealed that less than one-half of 
companies invested in risk processes; whereas, less than one quarter allocated funds 
for the training of employees with central risk functions. Constant cost pressures and 
budget cuts are limiting investments, but companies have to be careful not to 
compromise the effectiveness of a working risk management system/approach. 10 

When systems increase in size and become more connected, the complexity 
increases as well. Furthermore, large systems become unmanageable and irretriev¬ 
able failures are more likely to happen. Without a doubt, with the complexity of 
organizations today and, to a greater extent those of the future, all institutions will 
face huge challenges when managing that situation. The chance of accidents is high 
and managers have to be able to respond in an appropriate way. * 11 

Given the fact that Risk Management in Austrian companies is mainly under¬ 
stood as a top management task, 83 % of Austrian CFOs indicated they were 
responsible for Risk Management. The survey further showed that there is a 
relatively weak agreement on the question of whether there is a need for Risk 
Management primarily through regulatory/corporate external authorities/systems 
(for example, law or Corporate Governance Code). This may be an indication that 
companies don’t see Risk Management as a regulatory obligation, but rather a 
process for active value creation. 12 


8 Frigo and Anderson (201 1). 
9 Speckbacher et al. (2010). 

10 Frigo and Anderson (2011), 

11 Ford et al. (2003). 

12 Speckbacher et al. (2010). 
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The global financial crisis has revealed that strengthening Risk Management and 
corporate governance are major challenges for organizations. A lesson learned is 
the necessity to clearly link the corporate strategy and Risk Management, and to 
identify and manage risk in a highly uncertain environment. 13 

On average, companies are reasonably satisfied with their Risk Management. 
However, companies across all industries see significant potential for improvement 
in risk management systems, in particular the link between Risk Management and 
strategic planning. 14 Certainly, Risk Management is not a new concept to 
businesses and managers, but the growing complexity and speed in the business 
environment have increased the necessity of a structured approach towards manag¬ 
ing risks. Risk management systems and processes have evolved especially for 
enterprise wide, risk facing organizations. The growing awareness of risks is 
reflected in the fact it is now a central topic for boards and audit committees. 
Nevertheless, until a few years ago, there was still no accepted standard available to 
structure the company wide risk management activities. 15 

In the aviation industry, risks can be broken down into two different levels, 
namely the strategic and process levels. 

Risk at the strategic and process levels is comprised of the following sub 
categories described in Fig. 3.1. 

Recent discussions have shown that there is an ongoing conflict between the 
operational and strategic levels within various aviation organizations. Operational 
stakeholders feel increasingly patronized by financial controlling when carrying out 
risk assessments. Further communication and harmonization efforts have to be 
initiated in order to solve these internal discrepancies. 


3.2 Regulation of Risk Management 

Law has been the main driving force for better Corporate Governance practices in 
Switzerland and therefore also a main driver for Risk Management. Since 1936 
there have only been minor changes to the law, with reforms in 1968 and 1992. The 
Stock Exchange Act, which was implemented in 1996, had a strong influence on 
Corporate Governance practices. The code of obligations triggered many 
developments, such as increased transparency, auditing and compensation disclo¬ 
sure along the lines of the Sarbanes Oxley Act (SOX). 16 


13 Frigo and Anderson (2011). 

14 Speckbacher et al. (2010). 

15 Frigo and Anderson (2011). 

16 The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in the US in 
response to the high-profile Enron and WorldCom financial scandals to protect shareholders and 
the general public from accounting errors and fraudulent practices in the enterprise. The act is 
administered by the Securities and Exchange Commission (SEC), which sets deadlines for 
compliance and publishes rules on requirements. 
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Fig. 3.1 Risk model for the aviation industry. Source : IATA (2013) 

3.2.1 Regulation in Air Law 

There are several regulations in Air Law concerning risk management and safety 
management. The following overview may help to find the relevant regulatory 
framework. 


3.2.1.1 Overview International Regulations 

• ICAO Annex 6 Operation of aircraft 

- Part 1: International commercial air transport, 9th edition 2012 (3.3 Safety 
management and 4.10 Fatigue management) 

- Part 2: International general aviation, 7th edition 2012 (3.3.2 Safety manage¬ 
ment system) 

• ICAO Annex 19 Safety management, 1st edition 2013 (Transfer of existing 
provisions) 

• ICAO Doc 9859 Safety management manual, 3rd edition 2013 (Support roll-out 
of Annex 19) 

• Regulation (EC) No 300/2008 Civil aviation security, 11 March 2008 

- Art. 4 Common basic standards 

- Art. 6 More stringent measures applied by Member States 

• Regulation (EC) 8/2008 Establishing a European Aviation Safety Agency 

- 1.037 “An operator has to establish a risk awareness program” 

• EU-VO 185/2010 (Grundstandards in der Sicherheit) 

- 1.3.1.5 Stichproben bei Pax-Kontrollen nach Risikobewertung 

- 1.5.2 Gelandefiberwachung auf Grund Risikobewertung 

- 4.3.2 Unterrichtung der Behorden fiber Risikobewertung 

• EU-VO 1178/2011 (EASA FCL & MED) 

- Art. 4 Sicherheitsrisikobewertung von Flugschfilern 

- FCL.820 lit. (d) Testflugberechtigung 
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3.2.1.2 Overview National Regulations 

• Art. 103a LFV Sicherheitsmanagementsystem 

- Art. 122h LFV Einsatz Sicherheitsbeauftragter nach Risiko 

- Art. 122k LFV BA fur Polizei zustandig fiir Risiko-Analyse 

- Art. 122m LFV Mitwirkung Airline bei Risiko-Analyse 

A few regulations in Air Law have to be pointed out in order to understand the 
regulatory framework of risk management in the aviation business. 

3.2.1.3 International 

The ICAO describes, with its Fatigue Management SARPs in Appendix 8 of Part I 
to Annex 6, the components that must be in an FRMS. In addition, the associated 
guidance material provides further information on how an FRMS should function. 

Part II of Annex 6 describes the operations of Aircraft in International General 
Aviation (GA) and provides standards and recommended practices (SARPs) for 
international GA operators. 

Regulation (EC) 300/2008 on common rules in the field of civil aviation security 
specifies, under Art. 4, the local risk assessment through the local authorities and 
lays down more stringent measures that have to be applied by Member States after 
the risk assessment under Art. 6. 

Commission Regulation 8/2008, the so called (EU-OPS), regulates common 
technical requirements and administrative procedures applicable to commercial 
transportation by aircraft. It states under 1.037 that an operator shall establish and 
maintain an accident prevention and flight safety program, which may be integrated 
with the quality system. 

Commission Regulation 185/2010 states detailed measures for the implementa¬ 
tion of the common basic standards on aviation security. More specifically under 
1.3.1.5,where persons other than passengers and items carried have to be screened 
on a continuous random basis and under 1.5.2, the frequency and means of 
undertaking surveillance and patrols shall be based on a risk assessment undertaken 
by the appropriate authority. Paragraph 4.3.2 describes that an air carrier will be 
notified in writing and in advance by the competent authority about their risk 
assessment of individuals and of their plan when embarking a potentially disruptive 
passenger on board its aircraft. 

Commission Regulation EU 1178/2011 (EASA FCL & MED) lays down tech¬ 
nical requirements and administrative procedures related to civil aviation aircrews. 
Art. 4 (c) specifies that student authorizations will be issued on the basis of an 
individual safety risk assessment carried out by an instructor following a concept 
safety risk assessment carried out by the Member State. In addition, FCL.820 lit. 
(d) specifies the flight test rating requirements. 

3.2.1.4 National 

The Swiss Verordnung fiber die Luftfahrt (Luftfahrtverordnung, LFV) points out 
the obligation to implement a SMS under Art. 103a LFV. Furthermore, Art. 122h 
LFV regulates the deployment of a security officer in conjunction with the federal 
risk analysis. Art. 122k LFV illustrates the responsibility of the federal police for 
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the risk analysis and the associated use of security officers. Finally, Art. 122m LFV 
regulates the obligations of airlines to participate during certain scenarios. 


3.2.2 Swiss Code of Obligations 

In the Swiss Code of Obligations (CO) under article 716a No. 1 the ultimate 
direction of the company is assigned to the Board of Directors (BoD) which has 
the duty to avoid unnecessary risks and minimize unavoidable risks in order to 
assure the existence and progression of the organization. Therefore, the BoD has to 
specify the organization’s risk appetite and the corresponding risk control policies. 
As explained in the previous chapter, the risk goals have to be aligned with the 
organization’s strategic business objectives. Article 716b OR states that the BoD 
can delegate operational risk management to the management. Moreover, there is 
no requirement for a Chief Risk Officer (CRO) for organizations smaller than 
500 employees. 

As mentioned in the introduction, the amendment of the Limited Liability 
Company Law of 1.1.2008 made it mandatory that organizations state, within 
their annex to the financial statements, information about the implementation of a 
risk assessment. 

For specific types of companies, for example the limited liability company 
(GmbH) and the cooperative, explicit reference is made in connection to the 
accounting rules and the rights and obligations of the corporation. Thus, the 
requirement for the publication of information on the implementation of a risk 
assessment has to be annexed to the financial statements for these companies. 
Consequently, risk management must ultimately be considered as a necessity on 
the list of responsibilities of the strategic management level for all types of 
companies, including associations and foundations. 


3.2.3 Bank Regulations 

The Swiss Banks and Saving Banks Regulation (SR 952.02) defines, under Article 
9, the fundamental regulations of risk management for the banking sector. Banks 
have to implement and document procedures for the inclusion of business risks in 
internal guidelines and regulations. In addition, banks are required to seize, limit, 
and supervise market, credit, loss, transactions, liquidities and image risks in 
particular, as well as operational and legal risks. 17 Furthermore, the Swiss Bankers 
Association adopted guidelines for Risk Management in their trade and derivatives 
business in 1996. 


17 Die Bundesbehorden der Schweizerischen Eidgenossenschaft (2013). 
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3.2.4 German Law for Control and Transparency (KonTraG) 

The German Law for Control and Transparency (KonTraG) has been in force since 
May 1998 and calls for the implementation of an adequate risk management system 
for publicly listed companies. In particular, it focuses on the Board of Directors and 
the initiation of appropriate measures to set up a monitoring system which detects 
hazardous developments that could threaten the existence of the organization (§91 
para 2 AktG). The main reasons for the legislative initiative were, on the one hand, 
spectacular business failures in the nineties (Metallgesellschaft, Sachsenmilch, 
Balsam, KHD, Bremer Vulkan, etc.) and, on the other hand, the increasing interna¬ 
tionalization of capital markets and the increasing globalization of shareholder 
structures. 18 Many of the discussions about including risk disclosures in Swiss 
law have been influenced by this German precedent, including Art. 663b E-OR 
and amendment 728A E-OR. 


3.2.5 Institutional Investors 

With the focus on better corporate governance and on safeguarding shareholders’ 
interests, (i.e. Risk Management) institutional investors, especially pension funds 
have historically been very influential and were one of the first forces in 
Switzerland to become vocal on the subject. A forerunner in that field is the 
Swiss Investment Foundation for Sustainable Development (also known as 
Ethosfunds) which was founded in 1997 by amalgamating two pension funds 
based in Geneva, and which now comprises more than 90 pension funds from all 
over Switzerland. Their goal is to promote sustainable development and to invest in 
companies that contribute to positive market developments in that direction. Fur¬ 
thermore, they enable members to exercise shareholder rights in a responsible way 
and to foster good corporate governance practices. Traditionally, pension funds 
have a very conservative way of managing investments because the invested funds 
are the pension savings of the ageing population; therefore, the margin for error is 
very low and these funds mainly invest in companies which manage their risk in an 
exemplary way and provide accurate and transparent risk-related information. 


3.2.6 Impact of US Developments 

Given the fact that some of the world’s largest corporate disasters in the past years 
have happened in the US, shareholders of large companies want increased assur¬ 
ance and better predictability for the performance of their investments. Conse¬ 
quently, public-listed companies are under growing pressure to implement effective 
risk management and predictability mechanisms. In 2002, the Security and 


18 GLP (2008). 
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Table 3.1 Comparison of SOX and Swiss Law 

Sarbanes Oxley and NYSE rules 

Swiss rules 

Sarbanes Oxley Act Section 301 

Swiss Code of Best Practice for Corporate 
Governance, par. 23 

NYSE Section 303 A(7)(d) 

Mandatory for banks (Swiss Federal Banking 
Commission Circulars 95/1) 

Swiss Code of Best Practice for Corporate 
Governance, par. 19 

NYSE Section 303 A(7)(c) (iii) (D) 

Draft article 663b Ziff 12 CO Swiss Code of Best 
Practice for Corporate Governance, par. 19 

Sarbanes Oxley Act Section 404 

Article 716a CO new article 728a CO 


Source : Kalia and Muller (2006) 


Exchange Commission (SEC) and the US government responded to these disasters, 
and to the growing need for security, by enacting new acts and regulations, most 
significantly the Sarbanes Oxley Act (SOX). SOX had an enormous impact on 
Swiss Corporate Governance Law as some elements of SOX were incorporated in 
Swiss requirements made by Basel II type regulations. Table 3.1 shows how Swiss 
rules and regulations have been affected by SOX and New York Stock Exchange 
regulations. 


3.2.7 Press 

The press plays a significant role in bringing issues to the attention of the public, 
thus supporting the worldwide interest in corporate governance that has grown in 
the light of so many corporate scandals. Issues such as Severe Acute Respiratory 
Syndrome (SARS), Mad Cow disease (BSE), the September 11 terrorist attack and 
corporate scandals like Swiss air and Enron, have initiated political debates and 
created an increased awareness among society and business towards risks and risk 
management. 

In addition, there are various other sources which have an influence on corporate 
governance and risk management in Switzerland which are illustrated in Fig. 3.2. 


3.3 Milestones in Risk Management History 

The development of risk management can be divided into five different stages. Each 
stage has its own characteristics and different focus. 

The 1930s marked stage one with the beginning of new concepts and 
discussions, a preliminary stage of Risk Management. 

Stage two evolved during the 1970s with formal Risk Management which 
mainly focused on dealing with credit risks. 
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Fig. 3.2 Forces fostering better risk management in Switzerland. Source : Kalia and Muller 
(2006) 

In the 1980s the focus was on financial risk management (i.e. market risk 
management), in addition to credit risk management, and can be classified as 
stage three. 

During the 1990s operational risk management emerged, enlarging the field to 
operational risks which can be considered as stage four. 

The final stage of the development of Risk Management has evolved during 
recent years and is called corporate risk management. It takes a 360° view of Risk 
Management by integrating Risk Management across functions and divisions within 
a company. 19 


3.3.1 New Concepts 

With the beginnings of Risk Management, the subject only dealt with isolated 
security measures, including some loss prevention and a bundle of largely uncoor¬ 
dinated insurances. 20 In the 1930s, the Glass-Stegall Act prohibited common 
ownership of banks, investment banks, and insurance companies. In 1945, Congress 
passed the McCarran-Ferguson Act, delegating the regulation of insurance to the 
various states. 21 


19 Kalia and Muller (2006), p. 39. 
20 Haller (1999). 

21 Kloman (1999). 
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3.3.2 Credit Risk Management 

During the 1970s stage two evolved with the focus on insurance management, 
i.e. the co-ordination of pure insurance, which could be considered as traditional 
risk transfer. 22 Important milestones in risk management during these years were 
the foundation of a few associations with a strong focus on Risk Management, for 
example the International Association for the Study of Insurance Economics or the 
“Risk Management Circle” of Sweden’s Statsforetag. The American Society of 
Insurance Management was renamed Risk & Insurance Management Society 
(RIMS). Fortune magazine published the article “The Risk Management Revolu¬ 
tion” 23 suggesting co-ordination of formerly unconnected risk management 
functions within an organization, and acceptance by the Board of Directors 
(BoD) of responsibility for preparing organizational policies and supervision of 
the risk management functions. 


3.3.3 Financial Risk Management 

In the third stage, the 1980s, the development of Risk Management diversified in 
two directions: One was risk financing, including concerted deductibles, captives, 
and various mixed forms; the second was risk control in the sense of comprehensive 
risk engineering, partially in close co-ordination with insurance coverage. At the 
end of the 1980s, Risk Management experienced an expansion in the direction of 
risk communication, primarily as a consequence of a loss of trust after large-scale 
accidents in the concerned insurance sectors. 24 


3.3.4 Operational Risk Management 

Stage four began in the 1990s. In certain industrial insurance markets, crises 
affected relationships between industrial insurers and big clients. 25 The term 
Chief Risk Officer (CRO) was used for the first time by James Lam at GE Capital, 
who described the function of the CRO as managing all aspects of risk. Operational 
risk management plays an important role when talking about aviation safety. The 
operational side of aviation is a hazardous environment with many factors 
contributing to unsafe situations. Therefore, special attention has to be placed on 
that area. 


22 Haller (1999). 

23 Kloman (1999). 

24 Haller (1999). 

25 Kalia and Muller (2006), p. 39. 
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3.3.5 Corporate Risk Management 

The 9/11 terrorist attacks on the World Trade Centre, New York 26 gave a new 
dimension to the magnitude of volatility and risk. The New York Stock Exchange 
(NYSE) lost trillions of USD in a day. This had an enormous impact on the 
perception of risk management worldwide. 27 Today, companies embrace the con¬ 
cept of enterprise risk management which takes an overall view of all internal and 
external risks affecting the organization, and aims to provide an integrated 
approach to managing risks across divisions and functions. This has given rise to 
concepts of business continuity management where companies make sure that they 
survive even extreme events, such as terrorist acts, natural disasters, epidemics, and 
major failures. 


3.3.6 Compliance Management 

A significant, current trend is the increasing regulation in the risk management and 
safety management sector which can be considered as a real challenge, especially 
for the aviation industry. These regulations require additional resources to set up 
and implement different obligatory mechanisms or systems and require on-going 
compliance monitoring and audits. Figure 3.3 provides a graphic illustration of 
these developments and also shows how risk management has evolved during the 
past decades. 


3.4 General Risk Management Models 

The following risk management frameworks illustrate a structured approach 
towards the management of risks. 


3.4.1 COSO Enterprise Risk Management—Integrated Framework 

The COSO model can be considered as the oldest risk management framework. It 
was initially developed to improve the quality of financial reporting within ethically 
aware companies, in combination with an effective internal control system. In 1985 
the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 
was established as a platform for the National Commission on Fraudulent Financial 
Reporting. The system was approved in 1992 by the SEC (Securities and Exchange 
Commission) as standard for the internal control system and was constantly devel¬ 
oped further throughout the following years. 28 


26 Kalia and Muller (2006), p. 40. 

27 Kalia and Muller (2006), p. 40. 

28 Hasch and Muller (2009). 
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Fig. 3.3 Development of risk management. Source : Adapted from Kalia and Muller (2006) 


The COSO Enterprise Risk-Management Framework comprises three interre¬ 
lated dimensions which are illustrated in Fig. 3.4. 

The first dimension shows the main components which are common to the 

managerial level and are integrated within the overall management process. 

1. Internal Environment: The internal environment describes how managers, 
employees and the whole organization views and addresses risks including 
Risk Management philosophy and risk appetite, integrity and ethical values, as 
well as the environment in which they operate. 

2. Objective Setting: An organization should follow clear objectives. It is vital for 
the organization to identify the associated risks which should be in line with the 
risk policy, and consistent with the risk appetite of the organization. 

3. Event Identification: Internal and external events affecting the achievement of 
the organization’s objectives must be identified. Moreover, having distinguished 
risks from opportunities, the opportunities should be channeled back into man¬ 
agement strategy or objective-setting processes. 

4. Risk Assessment: The identified risks are classified according to their likelihood 
and impact. Likelihood and impact are assessed in order to obtain a solid basis 
for the risk response. 

5. Risk Response: Management is responsible for the initiation of risk responses. 
These include, but are not limited to, avoiding, accepting, reducing or sharing 
risks and encompass the development of an appropriate set of actions to align 
risks with the entity’s risk tolerances. 

6. Control Activities: In order to track that the risk responses are effectively 
carried out, specific policies and procedures have to be established and 
implemented. 

7. Information and Communication: Relevant information has to be identified 
and communicated in order to enable employees and management to carry out 
their responsibilities. Effective communication occurs horizontally as well as 
vertically in modern organizations. 
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Fig. 3.4 COSO framework. 
Source : Enterprise risk 
management—integrated 
framework 



8. Monitoring: Enterprise Risk Management is illustrated and documented 
throughout the organization. Monitoring is accomplished through ongoing man¬ 
agement activities, separate evaluations, or both. 

The second dimension, on top, classifies the different types of risks or the 
entity’s objectives within an organization. COSO distinguishes between strategic, 
operational, reporting and compliance risks. 

The third dimension illustrates risk management in relation to the entirety of an 
organization’s enterprise risk management. This comprises the entity level, divi¬ 
sion, business unit or subsidiary. 29 


3.4.2 ISO 31000:2009 Risk Management—Principles 
and Guidelines 

The ISO 31000:2009 Risk Management Principles and Guidelines is the worldwide 
available standard for risk management. The purpose of the ISO 31000 standard is 
to integrate and adapt the risk management process to already available manage¬ 
ment systems, in order to optimize and tailor the risk management process to the 
needs of organizations and not to just fulfill compliance issues. 

The system is based on the following core principles: 

• Top Management is accountable for Risk Management, which has to be con¬ 
stantly monitored and controlled. 


29 Committee of Sponsoring Organizations of the Treadway Commission (2004). 
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Fig. 3.5 Systemic approach to Risk Management according to ISO 31000. Source : ISO 
31000:2009 

• Risks have to be communicated throughout the organization on all operational 
management levels and not just on a strategic level. The initiation of the risk 
management process has to be communicated top down through all management 
levels. 

• Finally the ISO standard tries to identify all the different internal and external 
risks throughout an organization. These identified risks influence the overall 
implementation of the risk management system. 

Figure 3.5 illustrates the systemic approach of the ISO 31000 which combines 
the risk management process, and integration into the risk management system. The 
risk management process defines the procedure of identifying risks, analyzing and 
evaluating them including the application of appropriate mitigation measures and 
the final communication throughout the organization. The risk management system 
includes all measures like planning, implementation, evaluation and continuous 
improvement in terms of the Deming Circle 30 and should be understood as a vital 
part of the strategic management of an organization. 


3.4.3 ISO 22301 Business Continuity Management 

A Business Continuity Management System (BCMS) aims to make public and 
private organizations more resilient in times of extreme events. This standard 
supports organizations of any size to proactively prepare for managing disruption 
which might endanger the survival of a company. Typically, incidents can disrupt 
the business environment or even directly affect an organization negatively. ISO 


30 Morris and Pinto (2010), p. 141. 
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2203 prepares organizations for disruptive events and ensures that they can respond 
in an appropriate manner and protect and continue their operations. 31 

The ISO 22301 structure focuses on specific key areas which are crucial for 
business continuity planning. 

• Part 4: Context of the Organization 

• Part 5: Leadership 

• Part 6: Planning 

• Part 7: Support 

• Part 8: Operation 

• Part 9: Performance Evaluation 

• Part 10: Improvement 

Part 4 of the standard focuses on the context of the organization and determines 
the external and internal issues which could have an effect on the organization. This 
part especially focuses on the potential impact a disruptive event might have on the 
organization’s activities, functions, services, products, relationships with interested 
parties, supply chains, and partnerships. It makes the link between the business 
continuity policy and the organization’s objectives, policies and risk management 
strategy. Furthermore, it takes the legal, regulatory and additional requirements of 
the organization into account. 

Part 5 concentrates on the leadership aspect, which requires ongoing commit¬ 
ment to the BCMS by top management. Here it is important that the BCMS is 
compatible with the strategic organization which requires the integration into 
established business processes, and the provision of the necessary resources. 
Responsibilities and areas of authority have to be clearly delegated and have to 
be constantly assessed. In addition, the communication of the significance of the 
BCMS and constant monitoring, direction and support are required in order to 
ensure efficient implementation. 

Part 6 is the planning phase where the objectives are developed on how to treat 
the identified risks and how to comply with organizational requirements. The 
objectives have to be measurable and consistent with the business continuity policy, 
and have to assess the minimum level of products and services that is acceptable for 
the organization to survive. 

Part 7 deals with the assignment of the appropriate resources for each task. Only 
competent staff with relevant training is qualified to perform the implementation 
and maintenance of a BCMS. Furthermore, the creation, update and control of the 
required documentation is specified in this part. 

Part 8 deals with the operation of the BCMS. By performing a Business Impact 
Analysis (BIA) an organization can identify critical processes that support its key 
products and services and their interdependencies between each other. Moreover, 
an organization can identify the required resources to operate the processes at a 
minimally-acceptable level. In addition, a solid risk assessment is the key to a solid 
Business Impact Analysis. These points have to be considered when documenting 


31 


Towards a Safer World (2012). 
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the business continuity procedures which aim to minimize the consequences of 
disruptive events through the implementation of appropriate mitigation strategies. 

Part 9 specifies the performance evaluation and the permanent monitoring of the 
systems to improve their operation. This will be assured by constant monitoring of 
compliance, historical evidence, internal audits and ongoing management reviews. 

Part 10 emphasizes the continuous improvement of the effectiveness of the 
system, its inherent processes, and objectives. 32 
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Companies that are subject to regular audits must continue to confirm the existence 
of an internal control system (ICS). To date, auditors assess the internal control 
system only to obtain an understanding of the entity to be audited for consideration 
in the preparation of the ICS audit strategy and the audit approach. 

This chapter provides an overview of: 

• The concept and objectives of an Internal Control System 

• The different components of an Internal Control System 

• Tasks and responsibilities and 

• Minimum requirements for an Internal Control System 


4.1 Concept and Objectives of the Internal Control System 
(ICS) 

An internal control system encompasses all processes, methods and measures 
arranged by the directors and the senior management that serve to ensure the proper, 
ongoing conduct of a business. The organizational measures of the internal control 
are integrated in the operational processes, which means they are part of the work 
execution. 

In this case, a current state is determined and compared with a target value 
(target state). The Internal Control is supportive of: 

• The achievement of business objectives through effective and efficient 
management 

• Compliance with laws and regulations (compliance) 
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• The protection of business assets 

• The prevention, reduction and detection of errors and irregularities 

• Ensuring the reliability and completeness of the accounting 

• Timely and reliable financial reporting 

The main tasks of an internal control system (ICS) are, on the one hand, to 
improve the reliability and completeness of the accounting and external financial 
reporting (accounting), and, on the other, the prevention and detection of errors and 
irregularities including fraud in accounting and financial reporting. 


4.1.1 Components of an ICS 

The design and the implementation of an ICS depend on the size of the business, the 
business risks and the complexity of the organization. Smaller companies can more 
easily achieve the objectives of an ICS with less formal means and simpler 
processes and structures. 

Based on COSO, the components of an ICS are subsequently divided into the 
following five categories: 


Category 

Description 

Control Environment 

The design of the control environment of a company comprises various 
components and the way management influences the processes in the 
company. 

These include regulations for the delegation of tasks and 
responsibilities, communication and enforcement of integrity and 
ethical values, commitment to competence, the involvement of those 
responsible for the management and supervision, leadership principles 
and management style, organizational structure and, finally, interaction 
with employees and customers. 

Risk Assessment 

Every organization needs to be aware of the risks that it is exposed to 

and how to manage these risks. The risk assessment typically involves: 

• Specification of corporate objectives and risk management objectives 
(safety objectives), Department of Risk Management Policies 

• Risk identification (identifying the principal risks that could result in 
a misstatement in the accounts, and the accounting and business risks 
that could affect the financial reporting) 

• Risk assessment (assessment of the importance of a risk, and 
assessment of the likelihood of occurrence) 

• Information/communication (defining who, when, what is to be 
informed) 

• Risk Management (decisions about possible measures) 

• Monitoring of the control measures 

Control Activities 

Each company must define and implement instructions and procedures 
to ensure that those activities which have been considered as necessary 
targets by the BoD and the Executive Board are actually executed. 
Examples of control activities are the processes of authorization 
(authorization levels, signature policies), work instructions, 
performance monitoring, entry rights in IT processes, physical controls 
and segregation of duties/4-eyes principle. 


(continued) 
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Category 

Description 

Accounting relevant 
information systems 

Information and communication channels must be defined so that the 
board and the employees have the right information at the right time in 
order to perform the required activities/controls. 

Information systems that ensure that all relevant information is reliable 
and timely collected, processed and distributed are a prerequisite. 

Monitoring of the 
internal control system 

The ICS is only effective if the control measures are reliable in the long 
term. Therefore, the ICS must be constantly monitored so that it 
remains effective. This includes a timely review of the structure and 
function of the controls by supervisors and the implementation of 
necessary corrective measures. 


4.1.2 ICS Tasks and Responsibilities 

The responsibility for the implementation of an ICS is with the Board of Directors; 
respectively it’s the Audit Committee. Primarily, the BoD has to make sure that the 
appropriate control measures are taken so that misstatements of transactions and the 
related statements are prevented, detected or can be corrected. The management, 
however, is responsible for the operation and maintenance. The tasks and responsi¬ 
bilities in the area of the ICS can be illustrated as follows: 


Board of Directors resp. its Implementing and maintaining a functioning internal control 
Audit Committee system as the core of the monitoring function of the BoD in 



relation to the accounting of the company. In particular, the 
set-up of the processes in relation to: 

• Targets 

• Scope and expansion level of the ICS 

• Documentation requirements 

• Reporting requirements 

Ensuring the implementation of the measures to be taken by the 
management related to the framework of the ICS 

Maintaining an adequate monitoring of the effectiveness of the 
ICS. This requires: 

• Regular consultation with management (effectiveness of the ICS) 

• Evaluation of reviews by the management of the ICS 

• Initiation and monitoring of measures to correct deficiencies 

• Use of Internal Audit for the monitoring and evaluation of the ICS 

Management 

Implementation of the principles defined by the BoD: 

• A systematic approach to the collection of an adequate control 
structure 

• Development of appropriate processes for the identification, 
assessment, monitoring and control of identified risks 

• Identification of key controls and their monitoring, and 
ensuring that corrective measures are taken 

• The maintenance and documentation of an organizational 
structure that clearly functions in line with all assigned 
responsibilities, skills and information flows 


(continued) 
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• Documentation and verifiability of the ICS regarding the 
reliability of financial reporting, and for ensuring the 
fulfillment of delegated tasks 

• Ensuring the necessary technical and human resources and 
quality of staff (training, experience) 

Auditors (based on Article 
727 OR) 


• Verification of the existence of the ICS 

• Reporting to the General Assembly 

• Detailed reporting to the Board of Directors regarding the audit 
of the ICS 


The Board has to periodically deal with the following fundamental issues in 

relation to the ICS: 

1. Are all significant risks in the operational business processes known? 

2. Are there measures that reduce these significant risks to an acceptable level for 
the company? 

3. Do BoD and Management receive the guarantee that the ICS is actually effective 
and operating efficiently? 

4. Do organization and corporate culture allow for continuous improvement of 
processes and controls? 


4.1.3 Minimum Requirements for an ICS 

The Fiduciary Chamber, as a professional organization for accountants in 
Switzerland has issued a position paper, which states that the degree and the 
requirements for an ICS have to be adapted to the complexity and size of the 
organization. In particular, the size and activities of the company, the number and 
complexity of transactions, the ownership structure and financing play a role. In 
determining the requirements of the ICS, the Board of Directors considers the 
principle aspects of effectiveness, accountability and efficiency: 


Aspect 

Meaning/content/expression 

Effectiveness 

• Compliance with the corporate culture 

• Clearly defined responsibilities 

• Controls are aligned to risks 

• Controls are integrated into processes and are monitored 

• Sufficient tested controls 

• Well trained employees 

• A clearly defined information and escalation process 

Traceability 

• ICS objectives and degree of expansion are documented 

• Business risks are documented 

• Processes and controls are recorded in writing 

• Control activities are clearly documented 

• The quality of the ICS is regularly assessed and reported 

Efficiency 

• ICS is an integral part of the enterprise-wide risk management 

• Use of internal audit and coordination with auditors 

• Focusing on key risks 

• Possibility to automate the controls 
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There are no statutory regulations on the scope and the minimum requirements 
for the ICS. 1 However, the ICS must meet certain requirements to ensure that the 
auditor can confirm its existence: 

• The ICS must be documented 

• The ICS has to have the size relevant to business risks and be appropriate to the 
scope of the business 

• The ICS must be communicated to the employees 

• The ICS must be applied and has to be implemented 

• The company must have a control consciousness 

An internal control system, like the company, has to develop itself further and 
further. The adaption to changing environmental conditions is of central impor¬ 
tance. Globalization, competitive pressures, new technologies and legal changes 
have, therefore, always to be included into business processes. In addition, the ICS 
must be continually reviewed and the responsible manager has to react immediately 
if adjustments are needed. The costs, however, have to always be kept in mind. The 
costs of establishing and maintaining the ICS are, in the medium term, certainly 
expected to be offset by the following benefits: 

• Clear organization, roles and responsibilities within the company 

• Identified business risks associated with controls, a step towards Enterprise Risk 
Management (ERM) 

• Identification of efficiency potential in business processes 

• Reduced amount of error corrections (since errors are detected more quickly) 

• Development of control consciousness of employees at all levels 

• Increased confidence in the financial report (stakeholders) 

• Improved corporate monitoring 

• Eliminated redundancies in the controlling processes 

• Reduced risk of fraud 

• Fewer error corrections during the audit 

Such an ICS almost automatically satisfies the requirements for auditability; the 
compliance can be regarded as a “by-product”. 
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To understand the fundamentals and the structure of a Safety Management System 
the developments and the basics have to be explained. This chapter provides an 
overview of: 

• The general development of safety and accidents 

• The organizational accident causation by James Reason 

• The regulatory environment 

• The structure and objectives of a Safety Management System 


5.1 Development of Safety and Accidents 

As having an acceptable air safety record is an important indicator of an airline’s 
success, improving safety has constantly been a major focus for the aviation 
industry. Over the past years there has been a constant increase in the reliability 
of machines and software in the aviation industry. Unfortunately, the reliability of 
humans and organizational systems has not improved at the same speed. 1 

The early years of commercial aviation were notorious for underdeveloped 
technology and inadequate infrastructure, where limited oversight by the 
authorities, and almost no regulation, was common practice. The aviation business 
was driven by production demands and there was no understanding of safety 
management measures, like hazard identification and Risk Management. Aviation 
developed very quickly with ambitious production objectives which lacked the 


1 International Civil Aviation Organisation (ICAO) (2009). 

R. Muller (M) 

Center for Aviation Competence, University of St. Gallen, St. Gallen, Switzerland 
e-mail: r.mueller@advocat.ch 

C. Drax 

P3 aviation, P3 Group, Lorsch, Germany 
e-mail: ch.drax@gmail.com 

R. Muller et al. (eds.), Aviation Risk and Safety Management , 45 

Management for Professionals, DOI 10.1007/978-3-319-02780-7_5, 

© Springer International Publishing Switzerland 2014 





46 


R. Muller and C. Drax 


necessary means and resources for safety management and was characterized by a 
high frequency in breakdowns and accidents. 

The former principals of accident prevention and investigation were driven by 
reactive processes. Outcomes only became visible after an accident had already 
happened. With increasing regulation during the 1950s, advanced technology and 
the fast development of infrastructure, accident rates declined steadily. The com¬ 
mon thinking in those days was as long as rules were followed, there should be no 
safety violation. 

The belief was that only if rules are disregarded, could eventual breakdowns be 
considered. It was possible to minimize risks by introducing regulatory limitations, 
but with the increase in aviation complexity it became impossible to cover all 
operational scenarios in such a dynamic environment. Accident investigations 
mainly had the focus on technological breakdowns with less focus on human or 
organizational factors. 

The typical approach for the identification of the cause of an accident was to ask 
what, who and when. This ignored the why and how an accident happened, which 
are of real importance to fully understanding the safety breakdowns or hazardous 
conditions. Recent years have shown that the perception has changed towards 
understanding why and how accidents happened. When looking at the development 
of safety thinking, the first years of aviation until the 1970s can certainly be seen as 
the “technical era” where safety violations and concerns were typically linked to 
technical factors. 

Given the fact that technology was not fully developed to cope with mass 
transportation demand, technological failures were a recurring factor. Therefore, 
the main focus in those days was put on the investigation and improvement of 
technical issues. During the 1970s major technical improvements like radar, jet 
engines, autopilots, flight directors, improved navigation and performance enhanc¬ 
ing technologies, both on the ground and in the air, were introduced and radically 
minimized technical failures. 2 

These changes introduced the “human era” and the safety efforts shifted focus to 
human factors. With the introduction of crew resource management (CRM) and line 
oriented flight training (LOFT), massive efforts were made to try to control human 
error. However, human error continued as a frequent factor in safety violations. 
From the early 1990s on it was recognized that individuals can’t be seen as “stand 
alone” within the operational context. 3 The causal sequence of accidents—from 
organizational factors, to local workplace conditions, to individual unsafe acts, to 
failed defenses and negative outcomes—has to be taken into consideration; those 
elements reveal the contributing factors of potential failures. 

For any accident, the focus must be on the organizational factors, for example 
the safety culture of an organization and what local conditions could have shaped or 
provoked it. 4 


2 International Civil Aviation Organisation (ICAO) (2009), p. 2-3. 

3 International Civil Aviation Organisation (ICAO) (2009), pp. 2-2, 2-5. 

4 Reason (2004), p. 18. 
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Fig. 5.1 Evolution of safety 
thinking. Source : 

ICAO SMM 
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Figure 5.1 illustrates the timeline of the evolution of safety thinking and encloses 
the above mentioned contributing factors. 


5.2 The Organizational Accident Causation 

By taking a closer look at what causes an accident it is not possible to simply point 
out one factor which is responsible. Accidents require a chain of enabling factors 
where each together has to be present to cause an accident, but individually has 
insufficient power to breach the system’s defenses. This underlines the complex and 
well protected aviation system where single point failures are rarely consequential 
because they are protected by various defenses such as regulations, training and 
technology. 5 

By looking at Fig. 5.2 it should become clear that operational errors or 
disregarded procedures are delayed effects which have been missed by managers, 
workplace conditions or organizational processes. Those errors will continue to 
emerge until organizational or workplace conditions are changed towards better 
safety awareness. Operational failures act as triggers of latent conditions where 
people in complex systems make mistakes or violate procedures for reasons that 
usually go beyond the scope of individual psychology. 6 Those latent conditions 
doze in the system and become apparent once the defenses of the system are 
breached. 7 

Other contributing factors to an organizational accident are active failures. 
These failures are errors or violations committed by front line personnel such as 
ground staff, pilots, and air traffic controllers which have a direct impact on the 
safety of the aviation system and which may result in a damaging outcome. 8 

Summarizing the cause of an organizational accident reveals the different stages 
which are required to generate an accident. Most of the latent conditions start with 
the decision makers and organizational processes which are often subject to human 


5 International Civil Aviation Organisation (ICAO) (2009), p. 2.4.1. 

6 Reason (2004), p. 10. 

7 International Civil Aviation Organisation (ICAO) (2009), pp. 2.5-2.6. 

8 Reason (2004), p. 10. 
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Fig. 5.2 Stages involved in an organizational accident (James Reason 2003, p. 90). Source : 
Reason (2004) 

biases and limitations, such as budgets and politics. Internal processes must be 
established to detect those threats and neutralize them. The decisions made by line 
management may lead to inadequate training, violation of maximum working hours 
or protective workplace measures. 

The result will generate a workforce which has inadequate knowledge and skills 
or is not able to apply the right operating procedures. The consequence of 
generating errors and violations will lead to active failures and potential accidents 
which, in total, reflect a poor safety culture. 9 


5.3 Regulation of Safety Management Systems 

With amendment 30 to ICAO Annex 6 Part I, the International Civil Aviation 
Organization introduced a new paragraph, 3.3 which addresses safety management, 
and under paragraphs 3.3.4-3.3.8 set standards which require that states, as part of 
their safety program, have to ensure that an air operator implements an acceptable 
safety management system (SMS). 10 


5.3.1 ICAO Regulations * 11 

Relevant for the implementation of an SMS are the standards and recommended 
practices (SARP). They can be found in the ICAO annexes 6, 11, 14 and the ICAO 
Safety Management Manual. Furthermore, ICAO Annex 19, 1st edition is applica¬ 
ble from the 14th November 2013. All of the safety management provisions in 


9 International Civil Aviation Organisation (ICAO) (2009), p. 2-6. 

10 International Civil Aviation Organization (ICAO) (2010), p. 3-3. 

11 Further guidance material can be found at http://www.icao.int/safety/ism/ICAO%20Annexes/ 
Forms/Allltems.aspx. 
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Annex 19, 1st edition, were transferred or duplicated from safety management 
provisions previously contained in the six different Annexes, with the exception of: 

1. The Safety Management System (SMS) framework now applies to organizations 
responsible for the type design and manufacture of aircraft; 

2. The four components of the State Safety Program (SSP) framework are elevated 
to the status of Standard in Chapter 3; 

3. The State Safety Oversight is applicable to the oversight of all product and 
service providers; and 

4. The Safety Data Collection Analysis and Exchange (Chapter 5) and the Legal 
Guidance for the Protection of Safety Information from Safety Data collection 
and processing systems (Attachment B) complement the SSP. 12 

ICAO regulations are categorized into primary and secondary ICAO- 
law. 13 Primary ICAO-law is everything that is part of the Convention of Chicago, 14 
which was signed by Switzerland on the 6th February 1947 and has been effective 
since the 4th April 1947. 

The secondary ICAO-law consists of 18 annexes containing standards, 
recommended practices, procedures for Air Navigation Services (PANS), and 
Regional Supplementary Procedures (SUPPS). 15 

In contrast to the EU (EASA) the ICAO has no sovereign powers. Normally, the 
application of ICAO regulations and annexes in Swiss law is implemented through 
the adoption or amendment of an already existing statute or the creation of a new 
one. The recently added article 6a LFG explicitly foresees the possibility of a direct 
application of the ICAO annexes. 16 This reference to and delegation of a piece of 
legislation established by organizations which are not subject to international law 
(i.e. ICAO, and JAA) can be problematic (see 3.2.4). Nevertheless, as long as the 
treaty’s clauses are self-executing, no transformation into national law is required. 
US-Courts decided that article 5, 8, 15, 20, 24, 29, 32, 33 and 36 CHI are directly 
applicable. There has been no decision, so far, about whether the annexes of the 
convention are directly applicable. 17 


5.3.2 EASA Regulations 

EASA regulations are divided into recommendations (soft law) and standards (hard 
law). Hard law is binding for all member states and established by the EU Commis¬ 
sion, EU Parliament or the EU Council; whereas soft law [Acceptable Means of 


12 International Civil Aviation Organization (ICAO) (2013). 

13 Muller and Schmid (2009). 

14 International Civil Aviation Organisation (ICAO) (1944). 

15 Muller and Schmid (2009), pp. 26-27. 

16 The federal council has made use of this reference for example in art. 138 & 103a LFV, art. 
3bis VIL. 

17 Muller and Schmid (2009), p. 27. 
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Compliance (AMC), Guidance Material (GM) and Certifications Specifications 
(CS)] are not binding. Acceptable Means of Compliance (AMC) illustrate a 
means, but not the only means, by which a requirement contained in an EASA 
airworthiness code or an implementing rule of the Basic Regulation, can be met. An 
applicant correctly implementing an AMC issued by EASA is assured of acceptance 
of compliance. 18 The soft regulations are established directly by EASA itself. 19 


5.3.3 CAA 

Even though aviation is internationally regulated with the ICAO regulations on the 
one side and with EU laws, based on the EASA regulations on the other side, there 
are still Civil Aviation authorities in each country. Their purpose is not only to 
transfer these regulations into national law, but also to identify country specific 
amendments. 

As Switzerland is not part of the EU, regulations have to be accepted in a special 
procedure which is determined in the bilateral agreement on air transportation with 
the European Community (Luftverkehrsabkommen, LVA 20 ). For an 
EU-Regulation to be transformed into Swiss law there has to be a decision by the 
aviation committee which, if accepted, becomes the equivalent to a bilateral treaty. 
The Swiss Federal Counsel or, in special cases, the Swiss Parliament 21 need to then 
give their consent. In this context, it is important that every amendment needs 
approval again. 22 

So far no European regulation concerning the introduction of SMS exists. 
However, the EASA stated its intention to translate the SMS related provisions in 
ICAO Annex 6 into upcoming rulemaking proposals. 23 Until now, only the 
EU-OPS 1.037 exists which defines an “accident prevention and flight safety 
program” consisting of a risk awareness system, reporting system, evaluation of 
accident information and a flight data monitoring program for airplanes heavier 
than 27,000 kg MCTOM. 

Furthermore, every organization needs to have a person accountable for manag¬ 
ing the program. 24 Despite EASA concluding that EU OPS-1 is consistent with the 
major principles of the ICAO SMS, 25 it has already placed a notice of proposed 
amendment (NPA). 26 The NPA-2008-22c mainly contains the ICAO standards with 


18 European Aviation Safety Agency (n.d.). 

19 Bundesamt fur Zivilluftfahrt (BAZL) (2007, p. 6. 

20 European Union (2002). 

21 See art. 184 paragraph 2 Cst. respectively art. 7a RVOG in connection with art. 3a LFG. 

22 Article 22 paragraph 4 LVA. 

23 EASA, NPA AR/OR. 

24 European Union (2008), p. 6. 

25 European Aviation Safety Agency (EASA) (2007), p. 1. 

26 For detailed information and content of the NPA see NPA-2008-22a Appendix II N.26 ff., and 
NPA-2008-22c especially OR.GEN.200 and AMC’s to OR.GEN.200. 
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much more detailed requirements for small operations. 27 Swiss aviation service 
providers should therefore closely track EASA developments. However, a delay of 
6 months has to be expected. 28 


5.4 Importance and Objectives of a Safety Management 
System 

Given the complexity of the aviation system with its rapidly changing operational 
environment and demanding authority regulations, the air operators are facing 
increased pressure on the financial as well as operational side. These underlying 
characteristics of complexity and rapid change in the aviation industry demand a 
systematic approach towards managing safety. 

The key to success is a safety management system, which can be described as a 
set of processes or components that combine operational and technical systems with 
financial and human resource management. Those processes are present in every 
activity of an air operator, airport or an approved maintenance organization. It is a 
methodical approach to safety with the focus on goal setting and a clear definition 
of accountability throughout the operator’s organization. 

An SMS aims at continuous improvement to the overall level of safety while 
measuring performance, analyzing processes and becoming an integral part of the 
company’s business management activities and corporate culture. 29 

The implementation of an SMS requires processes which allow the control of 
safety risks, and introduces the concept of an acceptable level of safety. 

In order to describe the basic components of a safety management system, a look 
at the structured elements is necessary. These elements are presented as the “four 
pillars” and illustrate the principles and basic concepts of the SMS structure. The 
structured elements must exist and have to be robustly executed in order to make 
the SMS effective. 30 


5.4.1 Pillar One: Policy 

The policy of an air operator’s management is a written expression of the company’s 
intentions, philosophy and commitment to safety. It generally describes the 
accountabilities and responsibilities of the personnel involved. Furthermore, it 
focuses on achieving safety goals or safety performance targets, with the 
corresponding measures to achieve those targets. 31 The policy should focus on the 


27 See AMC to OR.GEN.200 in NPA-2008-22c. 
28 Bundesamt fiir Zivilluftfahrt (BAZL) (2007), p. 19. 

29 Department of Transportation Canada (DOT) (2002), p. 6. 
30 FAA (AFS-800) (2006), p. 9. 

31 Stolzer, Halford, and Goglia (2008), p. 25. 
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continuous improvement of the overall level of safety through the management of 
safety risks and establishment of clear standards for behavior. The commitment of 
senior management is the key success indicator for a successful safety management 
system. Therefore, it must be a high level statement signed by senior management 
and should provide assistance to everyone who is in direct or indirect contact with 
safety performance. Fundamentally, it should also provide a specific roadmap so that 
all safety management activities are efficient and shared among the company. 32 


5.4.2 Pillar Two: Risk Management 

The risk management process is the fundamental task to control risks at an 
acceptable level and can be seen as the key task in safety management. The process 
consists of identifying hazards, assessing the risks, developing mitigation measures, 
controlling safety risks and monitoring the effects of safety actions. The underlying 
plan of risk management is that the severity and likelihood of an event occurring 
can be minimized. Risk management is a basis for decision making concerning how 
to handle occurrences which affect aviation safety. In addition, it is a basis for 
incident assessments, their implications and evaluating the results. A key to success 
is constant and direct communication throughout the organization. 33 

A detailed understanding of operational systems is a prerequisite for risk man¬ 
agement. These systems encompass the organizational structures, processes and 
procedures, people, equipment, and facilities which have a contribution to the 
organization’s productivity. An in depth systems engineering analysis will empha¬ 
size the interactions between hardware such as aircraft, software, people and the 
environment. It points out weaknesses in the identification of hazards and 
associated risks. 34 


5.4.3 Pillar Three: Safety Assurance 

Safety assurance shall mean all planned and systematic actions necessary to afford ade¬ 
quate confidence that a product, a service, an organization or a functional system achieves 
acceptable or tolerable safety 35 

Having policies, processes, measures, assessments and controls in place, an opera¬ 
tor has to put emphasis to the following processes to assure the highest level of 
safety. 36 Aviation organizations must develop safety performance monitoring and 
measurement processes in order to maintain the means to validate the safety 


32 Department of Transportation (DOT) Canada (2004), p. 10. 

33 Stolzer et al. (2008), p. 26. 

34 Stolzer et al. (2008), p. 26. 

35 The Commission of the European Communities (EC) No 2096/2005 (2005), p. 335/16. 

36 Stolzer et al. (2008), p. 27. 
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performance of their operations in relation to the safety policy, and to confirm the 
efficiency of safety risk management. Safety performance and safety monitoring 
must have structured reporting processes where it is clear which types of opera¬ 
tional behavior are acceptable or unacceptable. 

It must be explicitly defined under which conditions immunity from disciplinary 
action has to be considered. The aviation service provider must constantly apply the 
management of change and develop and maintain formal processes to identify 
deviations within the operational environment which may have an effect on the 
established processes and services. Operational changes have to be implemented 
and documented to modify the safety risk controls that are no longer needed or 
effective. Management must constantly identify causes of deviations in safety 
standards and procedures of the SMS and work on continuous improvement of 
the SMS with regular safety audits and management reviews to eliminate such 
deviations. 37 

An important instrument for safety assurance is the Safety Review Board (SRB). 
The SRB should normally comprise the Accountable Executive, Safety Manager 
and different managers from their corresponding field of duty (ground ops, flight 
ops, etc.). The Safety Review Board should meet monthly in order to assess the 
submitted safety reports of the employees. This review and assessment process 
should deliver monthly reports which can be processed internally and also be 
forwarded to aviation authorities. 

These reports should include SMS performance indicators which illustrate 
quantifiable attributes from analyzed events. The performance indicators should 
have concentrated expressiveness, the ability to allow internal and external 
comparisons, and should point out developments and tendencies. Safety perfor¬ 
mance indicators on their own only provide stimulating information for further 
analysis. Therefore, securing comparability is essential for internal and external 
analysis. Safety performance indicators are generally data based expressions of the 
frequency of occurrence of some events, incidents or reports. There is no single 
safety performance indicator that is appropriate for all organizations. 

The indicators chosen should correspond to the relevant safety goals. Examples 
of possible safety indicators are as follows: 

• Number of in-flight incidents per 1,000 flight hours/cycles 

• Number of findings per audit (or other measurable audit performance criteria) 

• Number of hazard/safety reports received, etc. 

• Number of incidents in daily operations 


5.4.4 Pillar Four: Safety Promotion 

To boost a sound safety culture, an organization must constantly strive for safety 
excellence and promote safety as the core value. 38 The organization should have 


37 International Civil Aviation Organisation (ICAO) (2007), p. A6. 

38 Stolzer etal. (2008), p. 28. 
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Fig. 5.3 Four pillars of a 
safety management system. 

Source : Own illustration 

Safety Management System 

I 


clearly defined arrangements to ensure that the work achieved by the Safety 
Manager and committees (e.g. SAG or other), as well as line management, is 
transmitted to all those involved in the relevant activities (Fig. 5.3). The lessons 
learned must be communicated effectively in order to promote system 
achievements. 
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This chapter provides an overview of: 

• Different sources of risk from a microeconomic perspective 

• The conflicting nature of risk perception: managers vs. shareholders 

• Different risk perceptions of shareholders and stakeholders 

• Systemic risk in network industries 

• Implications of risk management on an operational level 

• The cost and benefits of implementation and optimization of risk management 
for the company 


6.1 Introduction 

The representatives of the strategic management level of companies have the 
perception that risk management causes too high costs. In reality, this perception 
can be ignored if all relevant consequences of risk management are taken into 
account. An example of this comes from the experience of the authors with a large 
overhaul and maintenance company, employing about 5,000 people, where the 
insurance fees were reduced by 25 % due to the implementation of Risk Manage¬ 
ment. Before the company had its own Risk Management, the insurance firm would 
create its own risk assessment of the company, coming up with a risk list including 
50 risks. After the implementation of the risk management process by the company 
itself, 250 risks were found internally and added to the risk list. With this the 
company was able to show that it recognized the risks and that risks were constantly 
measured and reduced, which lead to an insurance premium reduction of 25 %, as 
mentioned above, and really added value to the company. 

Risk is the shadow of business opportunities. Different literature often links risk 
to financial risk. The worst that can happen is if a risk comes true and places the 
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company in a situation of cash shortage. Enterprise risk management aims to 
manage risk at a level of detail that has been decided upon by the board of 
directors. 1 The attention to detail depends on the costs the board of directors is 
willing to allocate for Risk Management. At the beginning, one of the major 
unknowns is the benefit that risk prevention and management can bring to a 
company. 

Much literature about risk is found in the field of modern financial theory and is 
based on three rationales 2 : risk/retum trade off, rational wealth maximization, and 
the no-arbitrage principle. Risk Management is understood within the context of 
these rationales in the financial literature. The focus of this chapter, with respect to 
financial theory, is on the risk/return trade off, where it is argued that by 
implementing a simple process, the monitoring of risks is not very costly in 
comparison to the occurrence of a non-identified risk, which can be deadly for a 
company. This chapter does not only follow a financial rationale. Hence, risks are 
not only addressed from a financial perspective; business, strategic, structure, and 
systemic risks especially play a relevant role when dealing with risk assessments 
and management. One issue of the implementation of risk management processes is 
their costs and benefits though. If risk management were costless—meaning 
allowing companies to reduce risk without any cost—managers would implement 
it in great detail, as it also reduces their own risk based on their responsibility. As 
risk management is costly, it is important to find the most efficient way to keep 
transaction costs low and limit expended resources, while also ensuring risk 
monitoring results in a maximum of risk reduction. 3 

Risk, as it is understood in this chapter, is a corporate approach or philosophy 
used to create risk intelligence within a company by utilizing internal and external 
knowledge and measures. The goal of a continuous risk management process is to 
create a risk adverse corporate culture and, by this, create a great benefit for the 
company. In the context of this book, Risk Management is focused on in the 
aviation industry. Figure 6.1 highlights the development process of efficient Risk 
Management. There is a shift from organization, which through the development of 
processes leads to a culture. 


6.2 Sources of Microeconomic Risks 

In general, enterprise risk can be divided into six sources: business or operating risk, 
strategic risk, financial risk, structural risk, change risk and systemic risk. Each of 
the risk dimensions influences the overall corporate risk. The broadness of the risks 
indicate the importance that Risk Management has in affecting all sources and 
levels of risk, and dictates the importance of achieving a risk averse culture in an 


1 FERMA and ECIIA (2010). 

2 Fatemi and Luft (2002). 

3 Tufano (1996). 
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Fig. 6.1 The development of 
a risk-averse culture. Source : 
Related to Muller CFAC- 
HSG (2012) 
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aviation organization. The following paragraphs explain the different sources 
of risk. 


6.2.1 Business Risk (Operating Risk) 

Business or operational risk is fundamental to a company. It comprises technologi¬ 
cal, distributional, and informational risk sources. 4 These risks are assumed to have 
an impact on the competitive positioning of a firm. Moreover, these risks can 
mostly be controlled by management conducting regular, internal risk analyses, 
and choosing the correct follow-up operating decisions. If a firm takes operating 
risks and management is fully aware of them, the firm aims at a competitive 
advantage, for which it will be rewarded financially. If this is not the case, it is 
not worth taking that risk. So if firms are not able to mitigate their operational risk 
for their own advantage, they may fail in the market as this implies that costs would 
be greater than benefits. 5 


6.2.2 Strategic Risk 

Strategic risk includes all macro factors which affect a firm. Furthermore, it 
encompasses the value to its shareholders. 6 Strategic risk can be economic or 
political on a domestic or international level. Typically, increased regulation and 
regulatory structures are examples of domestic economic events. Fundamental 
governmental changes, such as the inclusion of a country in the European Union 
or the weakening of financial security in a country, illustrate strategic political risks. 
These risks are commonly long term factors and affect a firm’s value over many 


4 Fatemi and Luft (2002). 

5 Fatemi and Luft (2002). 

6 Fatemi and Luft (2002). 
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years. Hence, strategic risk factors are longer term oriented than business or 
operational risk factors, and the awareness of them in a risk culture of a company 
creates benefits and a sustainable development of the company within its economic 
environment. 


6.2.3 Financial Risk 

In general, financial risk appears in the short term, due to adverse changes of 
interest rates (e.g. airplane leasing rates), commodity prices (e.g. jet fuel), equity 
prices (e.g. share price development, value of own equity) and exchange rates 
(e.g. CHF-EUR exchange rate). Adverse changes of these factors translate into 
real losses for the company and shareholders. In the worst case, such impacts can 
quickly lead to low cash positions, which is especially the case in the airline 
business where airlines have small margins and can easily run into debt. Manage¬ 
ment can deal with such risks by using financial instruments—which themselves 
incur other risks. A popular example in the airlines industry is fuel hedging which 
can be seen as a failure after 2008 when fuel prices dropped significantly and 
airlines paid higher prices for fuel than the market price due to their hedging 
contracts. 


6.2.4 Structural Risk 

Structural risks are related to company internal risks over different hierarchical 
levels. The largest structural risk stems from the situation that many members of the 
supervisory board of directors are experts in their fields (such as finance, regulation, 
marketing, etc.), but unfortunately do not understand the specifics of their 
company’s industry. An example of this situation is the aviation industry with 
many different regulatory limitations and a much diversified business structure 
with pilots, administrators, technologists, etc. Network management and yield 
management of airlines is especially crucial knowledge that one has to have 
about the industry in order to be successful. The small margins in aviation also 
lead boards to make decisions differently to those they might make in other 
industries. It is in an industry with such small margins, and due to these rather 
high risks it becomes very important to be aware of the structural risks for the 
benefit of the sustainable existence of the company. Risk management processes 
which incur costs are often related to specific benefits, without explicitly 
acknowledging that the core benefit, in many cases, is the sustainable survival of 
the company. 
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6.2.5 Risk of Change 

Change risk addresses the risks that occur when changes happen in a company. 
Let’s assume an airspace control company changes its supervisory system. There is 
the risk that it fails to work properly from the beginning, which would lead to a 
closure of all national airports and a grounding of all airplanes within its supervi¬ 
sory area. Furthermore, the market changes continuously. This leads companies to 
adjust constantly to the market and therefore being confronted with ever changing 
corporate risks. Change risks have to be dealt with specifically, and risk 
assessments have to be made for each change process so alternatives can be 
planned, just in case the change does not work according to plan. 


6.2.6 Systemic Risk 

Systemic risks are risks that appear in networks which can be more or less 
formalized, for example very formalized alliances. There are two kinds of systemic 
risk, namely internal and external. Internal systemic risk addresses structural issues 
(structural risks) within the company. They appear due to routine which leads to 
systemic behavior and less awareness of specific activities which may include risks. 
For example, if processes have become routine, there is a systemic risk of making 
mistakes by becoming reluctant to deviate from the given procedures, or if the 
supervisory board does not prioritize and allocate the necessary resources for risk 
assessment. 

External systemic risk refers to the risk of dependencies in networks, the 
environment and the market risk in general. Issues such as the risk of losing a 
major partner in a network, e.g. the major partner in a global alliance, arises with the 
increasing dependency on that partner in the network. What would happen to Swiss 
if Lufthansa went out of business? What is the risk that such a scenario could come 
true? Such questions address external risk that can only partly be steered by 
individual companies. Typical types of risks in networks can be the following 7 : 

• Too low or inappropriate demand 

• Problems in fulfilling customer deliveries 

• Cost management and pricing (yield management) 

• Weaknesses in resources, development and flexibility (e.g. in route networks of 
airlines). 

Figure 6.2 summarizes the two kinds of systemic risks. 

Alliances are a common form of cooperation in the airline industry. They can 
create great economic value and might even be responsible for the success or failure 
of some small companies. But it also creates risk for entities in such alliances. Small 
firms especially are faced with higher levels of risk in alliances. Large firms are 
usually able to gain access to a smaller, entrepreneurial firm’s new technology or 


7 Hallikas, Karvonen, Pulkkinen, Veli-Matti, and Tuominen (2004). 
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Fig. 6.2 Internal and external systemic risks 

core resource through an alliance, whereas the long-term success of the smaller, 
entrepreneurial firm might actually suffer from the alliance with large firms. 8 

Das and Teng (1996) discuss the relational and performance risk of alliance 
partners. Relational risk deals with the probability that partner firms lack commit¬ 
ment to the goal of the alliance. Their opportunistic behavior could have a negative 
influence on the success of the alliance, due to their prioritizing of self-interest by 
focusing on their own benefits from the alliance at the cost of their partners. 9 Such 
opportunistic behavior includes shirking, distorting information, delivering unsat¬ 
isfactory products or services, appropriating the partner’s resources and following 

1 A 11 i o 1 Q 

hidden agendas. The result is suboptimal outcomes, ’ ’ Performance risk deals 
with the opportunity that an alliance might fail, although all partners fully commit 
themselves to the alliance. Despite their best efforts, reasons for such failure may be 
a result of internal and external factors. External factors can be environmental 
factors such as governmental policy changes, economic recession and war. Further¬ 
more, there are market factors such as demand fluctuations and fierce competition. 
Internal factors can be a lack of competence in critical areas or just plain old bad 
luck. Performance risk can be related to most strategic decisions, whereas relational 
risk is only present in alliances, 14,15 For example, Bombardier, which competes in 
the field of business jets and small airliners, uses partners in many countries to 
control development costs, thus sharing about half of the costs for the production of 
new jets. Boeing has, for example, similar deals with engine producers such as 
Rolls Royce, Pratt & Whitney and GE to share the risk and development costs of 
airplanes. These risks related to costs are clearly performance risks, which are 
present in addition to relational risks that might occur in the alliance. 16 Risk (and/or 
cost) sharing has been identified as an important motive for entering such alliances, 


8 Alvarez and Barney (2001). 

9 Willianson (1993). 

10 Das and Teng (1996). 

11 Parkhe (1993). 

12 Rugman (1982). 

13 Brouthers (1995). 

14 Das and Teng (1996). 

15 Ring and Ven (1994). 

16 Das and Teng (1996). 
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Primary risk 


Relational Risk Performance Risk 



Fig. 6.3 Strategic alliance orientations for primary risks and resources. Source : Related to Das 
and Teng (1996) 

1 ^7 IQ OC\ 9 1 _ 

as stated in the previous example. ’ ’ ’ ’ Figure 6.3 summarizes the different 
orientations of primary risks and resources in alliances. 

Relational and performance risks 22 for smaller firms in alliances can be reduced 
if larger partners are continuously monitored. When entering an alliance with a 
bigger partner the following actions will reduce risk and increase the knowledge 
about the larger firm, 23,24 

• Perform due diligence on the large firm 

• Be cautious to prevent excessive appropriation of the alliance benefits by the 
large firm 

• Protect own primary resource 

• Form alliances with entrepreneurial firms that have managers capable of under¬ 
standing what is required to make the alliance successful 


17 Badaracco (1991). 

18 Kogut (1991). 

19 Murray and Mahon (1993). 

20 Oliver (1990). 

21 Powell (1987). 

22 Das and Teng (1996). 

23 Alvarez and Barney (2001). 

24 Das and Teng (1996). 











64 


A. Wittmer 


• Be aware of competition issues (cooperation and competition) which are pre¬ 
served in an alliance. A sense of competition should be combined with the spirit 
of cooperation 

• Keep it flexible enough to minimize sunk costs, adapt to new situations, and 
recover more investment if the alliance fails 


6.3 Cost Factors of Corporate Risk Management 

The goals of a corporate risk management project must be that all employees have 
the chance to provide their list of risks the company faces. For this reason one is 
well advised to first make sure the goal of the risk management project is clear for 
all participating employees in the company, and not only for top management. 
Furthermore, financial and time resources need to be allocated and approved by the 
top management for a successful finalization of the project. The risk management 
project needs to be on the agenda of the board of directors. Once this is the case, a 
detailed project plan with a specific time schedule for the risk management process 
is required. It is important that bigger risk management projects are not just running 
parallel to “more important” daily business. Last but not least, project controlling 
must be in place to guarantee the quality, time and budget allocation for the project. 
The following list is a general risk management project guideline for the imple¬ 
mentation of a risk project split into four phases (see Part IV of the book): 

1. Phase 1: Organization: Planning and implementation of the risk project 

2. Phase 2: Risk collection and assessment: Collect the risk and create report 

3. Phase 3: Risk mitigation: Investigation, determination and documentation 

4. Phase 4: Continuous improvement and change management: Internal and exter¬ 
nal audits, and safety training 

Nevertheless, risk management projects can be implemented in different ways, 
either internally or externally. Internally means that the project is handled by the 
company itself, which means that the company assigns a risk manager to the 
project. Externally means that a risk consultant is hired who implements and runs 
a risk management project in the company. Figure 6.4 summarizes the different 
internal and external procedures towards risk assessments. 


6.3.1 Internal 

Two internal risk management processes can be implemented: asking all employees 
to state all the risks they have identified within the company during their yearly 
personnel talk with their supervisor, and sending out a questionnaire to all 
employees on a regular basis to collect risks for a master risk list. By doing this, 
the master risk list is constantly changing and shows the current highest risks as 
perceived by the employees. Furthermore, the analysis of existing cases that 
occurred in the company and externally can help identify risks and improve 
sensitivity to risks. 




6 Costs and Benefits of Risk Management 


65 



Fig. 6.4 Procedures for risk assessment 

The following list summarizes four different internal procedures to create a high 
quality determination of risks: 

• Determine risks after the yearly management talk with employees 

• Questionnaire to employees 

• Analysis of cases that occurred internally 

• Analysis of cases that occurred externally 


6.3.2 External 

External risk management procedures differ from the internal ones, mainly as they 
are outsourced to a risk management consultant. The goal is not only to draw on 
internal knowledge, but also to take external expertise about risks from others into 
account when assessing one’s own risk. 

Such external risks that hit others, might hit one’s own company as well. This 
begs an analysis of such cases in order to leam from them and improve one’s own 
position to reduce that risk. External risks are determined the same way as internal 
risks, but often there are consultants involved who bring their cross-industry risk 
management skills as an asset into the risk analysis. 

The following list summarizes the different external procedures used towards a 
high quality determination of risks: 

• Determine risks through personal talks of employees with the consultant 

• Questionnaire given to employees by consultant (anonymously if needed) 

• Analysis of cases that occurred internally by consultant 

• Analysis of cases that occurred externally by consultant 

• Input of knowledge across industries by risk management consultant 
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6.4 Risk Management Costs 

One reason why risk management is not conducted thoroughly by some companies 
most likely lies in the provision of resources. As long as a company runs well, the 
search for possible risks seems almost paranoid, like if people ran to a doctor every 
time they sneezed. Resources for proper corporate risk management are needed in 
the form of time and money and they have to be placed on the top level agenda of 
the board of directors. 

The general benefits of corporate risk management can be explained as a 
reduction of the different risks threatening an organization. However, the financial 
benefit is difficult to derive if a risk has not previously resulted in a crisis. For 
example, in the operation of an airline one of the biggest risks is losing a plane in a 
crash. The costs of such a loss can be calculated financially. But it is not always the 
financial loss that counts most. It might rather be an image loss. But what is the 
value of image for an airline? No manager would argue that it does not matter, but 
no manager would be able to provide a specific financial value for image. So the 
benefit of the image is hard to measure and, for this reason, it is hard to measure the 
benefits of risk management. Concerning incidents that could lead to airplane 
crashes, the industry is now regulated in this area, meaning most of the safety 
management processes need to be in place. 

Costs of risk are simpler to calculate than benefits. Table 6.1 shows the costs of 
the set-up of Risk Management in the first year. The time (days) spent by 
representatives of the company and external consultants are included in the calcu¬ 
lation. The calculation on a working day level is provided with examples for 
companies with 20, 100, 250, 500 and 1,000 or more employees. The numbers 
provided are subject to some volatility based on the different complexities of 
companies depending on what specifically they are offering, whether they are 
producing for the aviation industry as suppliers or whether they are also involved 
in work in the air. The volatility level of plus/minus 25 % allows the numbers to be 
interpreted for different cases. Furthermore, only the corporate risk management 
activities are included within the day calculation. This excludes costs for internal 
control systems (ICS) and safety management systems (SMS). 

Table 6.1 shows the costs of risk management for different company sizes. 
Table 6.2 shows different time investments in Risk Management, dependent on 
company size and based on the authors real life experience. Furthermore, it is seen 
in practice that small companies do the absolute minimum to just fulfill the 
requirements. Some reasons for the increasing time needed related to size, are 
based on the fact that large companies: 

• need to deliver a situation report 

• need to include investor relations into risk management 

• need to deal with insurances 

• are more complex and have more diversified product portfolios 

• need to inform, educate, etc. more employees 

• are confronted with bigger difficulties to create a corporate risk culture 
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Table 6.1 Costs of implementation of risk management in year 1 


Number of working days used dependent on company size 
Position 20 empl. 100 empl. 250 empl. 500 empl. 1,000+ empl. 

Phase 1 


Supervisory board of directors 

0.5 

0.5 

0.5 

0.5 

0.5 

Executive management 

1 

1 

2 

3 

4 

Project leader 

5 

10 

20 

25 

30 

Others (administration, accounting, 
ext. experts) 

2 

4 

7 

10 

15 

Phase 2 

Supervisory board of directors 

0.5 

0.5 

0.5 

0.5 

0.5 

Executive management 

1 

1 

2 

3 

4 

Project leader 

2 

3 

4 

6 

10 

Others (administration, accounting, 
ext. experts) 

2 

3 

4 

8 

15 

Total 

14 

22 

40 

56 

79 


Table 6.2 highlights the number of working days needed to continuously work 
on Risk Management. Continuous improvement and adjustment related to new 
regulations, structures and market situations is important. Again, these numbers 
are based on the authors’ expertise in practice. A comparison of the first year 
implementation and the continuous risk management process demonstrates that 
the risk manager needs less time for phase one and two than the project leader. The 
reason is that the project leader has already created all the templates and described 
the risk management process in the first year which just has to be followed by the 
risk manager in year two and after. Appendix shows a sample job description of a 
risk manager for Aviation Company Ltd. 


6.5 Summary 

There are different sources of risk that play a role from a microeconomic and 
managerial perspective. One of those risks is systemic risk, which is of upmost 
importance in the aviation industry. It is an industry that depends strongly on 
networks and partly on alliances, whether in the airline industry or in the aviation 
supply chain. There are internal risks related to internal structures and behavior, as 
well as external risks, especially for smaller partners in bigger networks or 
alliances. It is important for companies entering networks to ensure they keep 
their crucial knowledge in house and, at the same time, aim at flexibility and 
productivity in the alliance. 

When implementing risk management it is important to have the supervisory 
board support the project and follow clear time schedules, regularly controlling 
achievements and financial resources within the risk project. Risk management has 
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Table 6.2 Costs of implementation of risk management after year 1 


Number of working days used dependent on company size 

Position 

20 empl. 

100 empl. 

250 empl. 

500 empl. 

1,000+ empl. 

Phase 1 

Supervisory board of directors 

0.5 

0.5 

2 

3 

3.5 

Executive management 

3 

4 

4.5 

5 

6 

Risk manager 

0 

2 

3 

4 

6 

Others (administration, accounting, 
ext. experts) 

0 

1 

3 

4 

5 

Phase 2 

Supervisory board of directors 

0 

0.5 

0.5 

0.5 

1 

Executive management 

1.5 

2 

4 

6 

8 

Risk manager 

0 

3 

6 

8 

10 

Others (administration, accounting, 
ext. experts) 

0 

3 

6 

8 

10 

Phase 3 

Supervisory board of directors 

0 

0.5 

0.5 

1 

2 

Executive management 

2 

4 

6 

8 

10 

Risk manager 

0 

4 

8 

12 

20 

Others (administration, accounting, 
ext. experts) 

1 

5 

10 

20 

30 

Phase 4 

Supervisory board of directors 

0 

0.5 

0.5 

0.5 

0.5 

Executive management 

2 

4 

6 

8 

10 

Risk manager 

0 

3 

7 

10 

15 

Others (administration, accounting, 
ext. experts) 

2 

10 

20 

30 

50 

Total 

12 

41 

87 

128 

185 


to move from an initial project to a continuous risk assessment. There are several 
internal and external solutions about how to achieve this goal either by assigning 
internal resources or employing a consultant. 

It is difficult to calculate specific costs and benefits arising from risk manage¬ 
ment as long as no failure that could have been prevented by proper risk manage¬ 
ment materializes. Costs for implementing and for the continuous improvement of 
risk management play an important role. Depending on the size, complexity of the 
company, the business framework and industry the company is in, risk assessments 
will affect financial resources to a greater or lesser extent. As a part of this chapter 
an assessment of time spent for setting up a proper risk management in a company 
and for a long term development of risk management has been provided. From the 
number of working days spent on different functional levels of management, costs 
can be estimated individually for companies. This is a new concept and should help 
managers to better financially plan their risk management process. 
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Appendix: Sample Risk Manager Job Description 
Sample Company 


Risk Manager Job Description 

1. General Information 


Job Title 

Risk Manager 

Appointed by 

Executive Committee (EC) 

Supervisor 

Chief Executive Officer (CEO) 

Starting date 

1 April 2014 

Percentage 

30 percent 

Deputy 

Chief Financial Officer (CFO) 

Subordinates 

None 

Additional 

function 

Head of Quality 

Signatory rights 

None 

Competencies 

Right to inspect all business documents, legal right to inform all employees, 
reports directly to the Chairman of the Board 


2. Duties 

• Monitoring and optimization of the risk management process 

• Ongoing mitigation of the key risks of the sample company 

• Ensuring adequate insurance coverage 

3. Requirements 

• Social and interpersonal skills 

• Independent, accurate and structured way of working 

• Flexible and resilient, solution-oriented 

• Optimization focus 

• Openness to new ideas and changes 

• Loyal and discreet 

• Planning and organizational ability 

• Expertise in Risk Management 

• Basic training in Risk Management 

• Interdisciplinary understanding 

• Networked thinking 

• Organizational strengths 

• Willingness to participate in ongoing training in Risk Management 

4. Key Activities 

• Risk analysis: 

- Preparation of annual risk analysis (as part of the annual operational risk 
analysis) for submission to the CEO and BoD 
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- Ongoing identification of risks, proposals for the definition of measures 
and reporting of significant changes in the risk environment 

- Ensuring that all employees are also asked about new or worsened risks in 
connection with the annual employee interview 

• Definition and monitoring of risk-mitigating measures: 

- Preparation of the definition of risk-mitigating measures for submission to 
the CEO and BoD (as part of the individual risk assessments) 

- Coordination with the respective risk owners and, if necessary, coaching 
of the risk owners 

- Monitoring the implementation of the risk-mitigating measures by the risk 
owners 

• Creating appropriate reports for the submission to CEO and BoD 

- Quarterly reporting to the CEO on the development of key risks and the 
status of risk-mitigating measures (risk radar as part of the quarterly 
reporting) 

- Annual report on Risk Management to the BoD 

• Coordination of the risk management function with the measures of the ICS 

• Preparation of annual insurance overview 

• Advice to the CEO regarding relevant risk management issues 

5. Special Tasks 

After consultation with the BoD the incumbent may be given special additional 

tasks, particularly in relation to specific projects. 

Zurich,. 

The incumbent: For the sample company 


XXX XXX 
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Operational risk management is a central part of the safety management system and 
has to be further outlined. This chapter provides an overview of: 

• Hazard Identification 

• Operational Safety Risks 


7.1 Hazard Identification 

The identification of hazards is the fundamental activity within safety management. 
Each risk analysis starts with the hazard identification process. It aims at identifying 
any condition with the potential to cause injury to personnel, damage to equipment 
or structures, loss of material, or reduction of the ability to perform a prescribed 
function. In particular, this also contains any conditions that could contribute to the 
release of an un-airworthy aircraft or to the operation of aircraft in an unsafe 
manner. Hazard identification is performed in order to identify the hazards in the 
organizational systems and the operational environment of companies and to assist 
in controlling these hazards . 1 Such a process can be implemented through internal 
reporting instruments like flight data monitoring including the constant monitoring 
of the processes defined for specific operations and business processes. For safe 
operations, it is vital that an ongoing assessment of the operational functions and 
processes is performed to apply changes which contribute to the proactive manage¬ 
ment of safety. The core processes in safety management are regularly safety 


1 Skybrary (2009). 
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assessments which immediately track trends and changes in order to provide 
essential information for maintaining the system’s safety health . 2 

The traditional approach of air operators towards hazard identification only 
focuses on the monitoring and assessment of operational areas. These areas include 
trend analysis and safety relevant occurrences of aircraft operation. The method is 
called the reactive approach because operational data is used to understand the 
environment, equipment status and cultural milieu in order to identify the hazard. 
Just being reactive and only responding to incidents and accidents, is a clear 
indicator of deficiencies in the aviation safety system of a company . 3 

With modern hazard identification the focus is directed towards process analysis 
finding weaknesses as well as identifying potential failures. The overall goal is to 
fix or eliminate those weaknesses before they turn into an incident or even an 
accident . 4 This new thinking is a proactive approach to the identification of hazards 
and risk analysis. Upon being able to understand the hazards and associated risks 
within daily operations, a company must work on minimizing hazardous conditions 
and respond proactively. This can be achieved by analyzing processes, conditions 
and working environment to improve the overall level of safety. Those processes 
and conditions include departments like training, budgeting, planning, marketing, 
procedures and organizational factors that might have a contribution to operational 
accidents. Here it becomes obvious that hazard identification should be regarded as 
a core-business function and not as an extra management task. 

It is a fundamental step for a company to transform from a reactive culture to a 
proactive reporting culture where everybody actively tries to address safety related 
issues before they turn into catastrophic events . 5 The way to safety superiority is 
through the additional predictive approach where confidential reporting systems 
monitor real time flight data and provide information which might identify future 
problems. The focus is on emerging safety risks and how to intervene in order to 
minimize the risks to an acceptable level . 6 

A combination of reactive, proactive and predictive methods will lead to effec¬ 
tive hazard identification and will provide fundamental information for risk 
management. 


7.2 Operational Safety Risks 

Given that a hazard may involve any situation or condition that has the potential to 
cause adverse consequences, the scope for hazards in aviation is widespread. 

The following list provides some examples for hazards: 


2 International Civil Aviation Organisation (ICAO) (2009), pp. 4.4-4.6. 

3 Stolzer, Halford, and Goglia (2008), pp. 120-121. 

4 Stolzer et al. (2008), p. 121. 

5 Department of Transportation Canada (DOT) (2002), p. 32. 

6 International Civil Aviation Organisation (ICAO) (2008). 
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Hazard Identification Risk Assessment Risk Handling 



Risk Control and 
Monitoring 



Fig. 7.1 Operational risk management process. Source : Adapted from various sources (ARMS 
Working Group, 2007-2010; Skybrary, 2013) 

• Equipment or task design 

• Procedures and operating practices 

• Communication 

• Human factors 

• Organizational factors 

• Work environment factors 

Operational risk management is the identification, analysis and elimination of 
those hazards, as well as the subsequent risks, that threaten the viability of an 
organization. 

The first goal of Risk Management is to avoid hazards. The proactive identifica¬ 
tion and control of all major hazards is fundamental. Successful operations depend 
on the effectiveness of the hazard management program. Figure 7.1 illustrates the 
risk management process 7 : 

The following example should provide clarification to help understand the 
difference between corporate risk management and the safety management system. 

Four pilots found a business aviation company and want to operate their aircraft 
on a commercial basis. According to state obligations they are required to show 
efficient Risk Management during their first annual financial statement for the 
acquisition of the aircraft. In parallel they acquire their AOC, where they are 
required to implement a safety management system for the company, with a strong 
focus on the operational and organizational sides. 

The four pilots hold an equal share in the company, but the CFO has single 
signature rights because they decided to speed up the signature process and trust 
their partner. This fact illustrates a very common mistake in corporate governance 
and completely neglects Risk Management. 


7 Skybrary (2010). 
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After 2 years, the CFO depredates the accounts and the company has to declare 
bankruptcy. How could this scenario have been avoided and how could the risk 
have been identified? 

Corporate risk management integrates the whole organization, including 
accounts and management, and provides an in depth analysis of corporate risks 
and their mitigation in order to manage the business on a sound economic basis. 

A safety management system approach during that stage would not have 
incorporated the shown risk above. While disclosing the yearly financial 
statements, a company which is buying aircraft has to clearly demonstrate a 
corporate risk management, whereas air operations require the implementation of 
a safety management system. 8 
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The aviation business is one of the harshest business environments managers can 
think of. Tight profit margins, frequent business cycles, governmental regulation, 
safety requirements and the direct interdependency to the world economy are just a 
few factors which cause immense headaches for top management. Maneuvering a 
company through this environment requires the right management strategies and 
skills. 

This chapter provides an overview of: 

• Corporate Governance 

• The Internal Control System with its connection to different standards 

• The balancing act between production and protection 


8.1 Corporate Governance 

Corporate Governance touches different areas within a company. It basically 
defines the processes, structures and the framework for the leadership, management 
and monitoring of companies. 1 

Successful companies have classically similar characteristics which set them 
apart from less successful companies. The key areas comprise an effective, compe¬ 
tent board of directors, with clearly defined responsibilities, and a skilled CEO who 
is eligible to run the business with integrity and great vigor. Additionally, the 
business concept has to be executed effectively and profitably utilizing the right 


1 Topfer (2007), p. 213. 
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resources in order to compete in the market environment and to meet the customers’ 
expectations in an outstanding way. Moreover, prosperous companies apply the 
right tools and systems which ensure the efficient implementation of processes and 
compliance with applicable laws and regulations. 2 

There are three main objectives which are addressed by Corporate Governance: 

1. Establishing, with regard to content, the timely preparation and distribution of 
information about all important business processes within the company to the 
management across all decision levels. 

2. Ensuring transparency of all essential processes, decisions and results in order 
to illustrate a clear picture for all involved stakeholders. 

3. The control by the advisory board ensures that companies do not act against 
laws or ethical codes, and that all decisions made by the shareholders are 
implemented. 

Figure 8.1 illustrates the main objectives of Corporate Governance. 

Corporate Governance in the aviation industry is not specifically the primary 
objective when looking at the composition of the board. Authorities like EASA, 
BAZL, etc. have positioned structural rules and regulations for air transportation 
which have to be followed by AOC holders. These regulations already contain 
guidelines concerning transparency, control and information systems which target 
managerial leadership. 3 


8.2 Internal Control System 

Overall Risk Management in the context of corporate governance has to be distin¬ 
guished from the focused operational risk management in the aviation business. It is 
therefore helpful to speak of “Corporate Risk Management” if the overall approach 
in the sense of corporate governance is intended. A part of corporate risk manage¬ 
ment is the Internal Control System (ICS). The ICS is one of the key management 
instruments and is defined by the Committee of Sponsoring Organizations of the 
Treadway Commission (COSO) as a process affected by an organization’s struc¬ 
ture, work and authority flows, people and management information systems, 
designed to help the organization accomplish specific goals or objectives. 4 

The challenge for the aviation industry is to combine corporate governance risk 
management with the safety management system. The SMS includes the process of 
hazard identification (HAZID) based on the standards and recommended practices 
(SARPS) of ICAO. The experience of successful aviation companies leads to the 
conclusion that the SMS should be based on the corporate risk management without 
touching the aspects of internal controlling, as visualized in Fig. 8.2. 5 


2 Colley, Stettinius, Doyle, and Logan (2005), p. 4. 

3 Jermann (2011), p. 13. 

4 Committee of Sponsoring Organizations of the Treadway Commission (2004). 

5 Muller (2012). 
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Fig. 8.1 Main objectives of corporate governance. Source : Topfer (2007) 



Fig. 8.2 Connex of risk management and the safety management systems. Source : Own 
illustration 

Research by the I. FPM Centre for Corporate Governance, at the Institute for 
Leadership and Human Resources Management at the University of St. Gallen 
showed that one of the main mistakes made by the Management Board was 
insufficient or non-existent Risk Management. That is why risk management 
assumes a key significance in the area of corporate governance. 6 The ten most 
common and important mistakes and deficiencies at board level can be listed as 
follows: 


6 Muller, Lipp, and Pliiss (2007). 
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Box 1: Challenges and Deficiencies at Board Level 7 

1. Below satisfactory qualifications of the Board of Directors (BoD), espe¬ 
cially the function of the Chairperson in connection with the absence of 
the non-executive board members, and incorrect structure of the board 

2. Poor preparation and lack of overview by board members 

3. Conflicting interests influence board decisions due to inadequate internal 
regulations 

4. Lack of clear strategies and strategy control 

5. Non-existent or inefficient risk management, especially regarding liquid¬ 
ity planning or regulatory compliance 

6. Very reactive rather than proactive approach by the Board of Directors to 
changes, due to the low frequency of board meetings 

7. Unsatisfactory provision of information and information evaluation, in 
particular due to insufficient or delayed reporting to the Board of 
Directors. 

8. Poor or delayed decision making, especially with incomplete decision 
documents 

9. Lack of cooperation between Executive Management and Board of 
Directors, in particular lack of clearly defined responsibilities 

10. No existing evaluation of Executive Management and Board Members; 
inefficient Managers and Board Members are replaced too late 


8.3 Balancing Act, Production vs. Protection 

Coming to the question of production and protection, the management constantly 
faces a “management dilemma” (Fig. 8.3). 

The commercially competitive environment puts a lot of pressure on the overall 
cost basis. Frequently, being safe is perceived as an expensive, intangible and never 
ending obligation imposed by the aviation authorities that has unclear returns on 
investment. 

There is an inherent conflict between protection and production goals. On the 
one hand, the overall protection (safety) must be kept at a high level to avoid any 
catastrophic events but, on the other hand, production goals must also be at a high 
standard to avoid bankruptcy. Whilst the productive aspects are commonly well 
understood and their related processes are comparatively transparent, the protective 
functions are far more diverse and more subtle. 8 Since production generates the 
resources which are vital for protection, its needs will always be prioritized within 
an organization. Air operators are always driven by production goals, where the 


7 Kalia and Muller (2006), p. 15. 

8 Reason (2004), pp. 3-5. 
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Fig. 8.3 The management 
dilemma. Source : 
International Business 
Aviation Council (IBAC) 
(2008), p. 15 


Bankruptcy 



primary objective is the timely and efficient delivery of services. This objective 
often contradicts operational safety considerations, because the need to meet a 
schedule and land at a particular airport at a particular time often has priority, 
regardless of weather conditions or airport limitations. 9 Often such sacrifices have 
no negative effects or generate no negative outcomes and can become a common 
practice in daily business and routine work practices. Unfortunately, becoming used 
to reduced system safety margins provides an increasingly vulnerable combination 
of accident-causing factors. 10 

But looking at the consequences, it must be recognized that accidents, incidents 
or even single safety violations can put the lives of staff in danger and might 
damage customer relationships, not to mention the damage to the reputation or 
the morale within the company. The balancing act within safety management is 
about finding the perfect balance between the production of services and products 
and the protection of human, financial and technical resources. 
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Part III 


Practical Implications of Risk and Safety 

Management 



Study of the Level of Risk and Safety 
Management System Implementation 
in Practice 

Andreas Wittmer and Christopher Drax 



9.1 Introduction 

The presented risk management survey was conducted in winter 2012/13 with the 
aim to gain an insight into corporate risk management procedures, and the level of 
implementation of such procedures in aviation companies and organizations. The 
survey was set up online and was distributed among small, medium and large Swiss 
enterprises in the aviation industry. A sample of 27 companies participated in the 
survey. This is a small sample which allows an insight into the implementation 
level of Risk Management, but does not provide statistically significant and 
completely representative conclusions. The examination of the topic follows a 
qualitative research approach and the findings meet the expectations of the 
researchers, providing a valid base for discussion and further research. 


9.2 Research Findings 

The analysis of the survey shows that almost half of the respondents are from 
organizations with a workforce greater than 500 employees where Risk Manage¬ 
ment is already implemented. Small firms with less than 50 employees are under¬ 
represented at only 15 %. However, smaller firms are still a very interesting 
segment to study as most of the regulations have been developed specifically for 
larger organizations, and small organizations are increasingly struggling with the 
implementation and monitoring of regulatory compliant management systems. 
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The functions of the respondents within the organizations are all, at least, middle 
to top management. Furthermore, at least 85 % of the respondents hold an academic 
degree. 

An interesting finding is that approximately 60 % of the respondents perform a 
double function within their organizations, meaning they are responsible for a 
minimum of two different areas within their organization. 

Only 41 % of organizations surveyed employ a risk manager in their Corporate 
Risk Management. This leads to the assumption that in some organizations, Risk 
Management is still a side function which does not require a dedicated position 
within the organization and is thus not properly executed. 

Usually, executive management, supported by a specific risk manager, would be 
involved in the Corporate Risk Management, and would bear the overall responsi¬ 
bility and authority for the risk management process. According to the survey, only 
60 % of the organizations involve executive management within their Corporate 
Risk Management. In addition, only 33 % have a specific risk management com¬ 
mittee which should jointly evaluate and mitigate the risks for the organization. 
Furthermore, the low percentage of 22 % regarding the involvement of an audit 
committee indicates that corporate risk management is not regularly monitored for 
effectiveness or regulatory compliance. 

The individual identification of risks by every employee within an organization 
is crucial for the exposure of safety risks. Still, 30 % of the respondents have never 
conducted a survey with all the employees to reveal inherent safety risks within 
their organization and processes. Instead, the survey showed that the organizations 
make use of various types of data/information sources for the Safety Management 
System, e.g. operational factors, flight data and air safety reports. 

When taking a closer look at the connection between Corporate Risk Manage¬ 
ment and other management systems, the majority of the organizations link Corpo¬ 
rate Risk Management with their Safety Management System. Nearly half of the 
respondents identify a link with the Quality Management System. Only 22 % have a 
connection to the Internal Control System. There is still a minority of 19 % of the 
organizations which use their Risk Management as a stand-alone process without 
any further connection to other management systems. 

Even though the aforementioned analysis is not ideal from a solid risk manage¬ 
ment process perspective, 89 % of the respondents classify their operational safety 
level within a range of fair to excellent, with 60 % classifying their operational 
safety level as excellent. 

In order to reach this excellence and to effectively manage and improve their 
Safety Management System, organizations are dependent on industry specific 
information and guidance. Most of the organizations follow the Civil Aviation 
Authority guidelines and/or directly the ICAO SMS framework which shows that 
best industry practices and regulatory parameters are the most commonly used form 
of obtaining information for the improvement of the Safety Management System. 
Forty-four percent of the organizations use seminars as a source of information, 
whereas only 25 % rely on the expertise of consultants. This importance of seminars 
contributes to the fact that sharing of safety relevant information within the industry 
is a common approach to improving each organization’s SMS. 
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In addition, most of the organizations make use of internally developed tools or 
buy software to help them with the implementation, monitoring and running of their 
SMS. Therefore, Safety Policy, with the safety management manual, is the least 
challenging module to implement. In contrast, 42.3 % regard the safety risk manage¬ 
ment module as the most challenging. This is in line with recent discussions during 
industry forums and workshops. Operators increasingly face issues to identify and 
properly manage risks within their organizational and operational processes and 
environment. Approximately 20 % are not challenged by the implementation of 
any of the four modules. On average, the respondents estimate their total spending 
on Safety and Risk Management at around 2.4 % of their total revenues. 


9.3 Results 

The majority of respondents are from large organizations or parts of an organization 
with more than 500 employees where Risk Management is implemented. Around 
70 % of the respondents are from organizations larger than 250 employees, which 
shows that the majority of the answers are based on more complex organizational 
structures and organizational challenges. Small organizations are only represented 
by 15 % of the respondents (Fig. 9.1). 

The educational level shows a high academic concentration with around 85 % of 
respondents at least with an undergraduate or postgraduate degree (Fig. 9.2). 

The respondents of the survey have the following functions which are spread 
from middle management to top management. 

• Captain 

• 2 x Safety Management Systems Manager 

• CEO 

• Chairman of the Board 

• Chief Engineer 

• CO 

• Commander Flying Training 

• cso 

• Deputy CEO 

• Director, Corporate Safety Policy, Planning and SMS Audits 

• Head of Division Safety Development and Support 

• Head of Safety 

• Maintenance Manager 

• Managing Director 

• Member of the Board 

• National Air Navigation Services Provider 

• Project Coordinator, Aircraft Maintenance Engineer and SMS Instructor 

• Safety and Environmental Compliance Manager 

• Safety Manager 

• Safety Projects Coordinator 

• Senior Director 

• Type Rating Instructor 
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Fig. 9.1 What is your organization size? (Organization where your Risk Management is 
implemented) 


3.7% 



H Did not graduate High School 

□ High School 

□ College 

□ Bachelor/Diploma Degree 

□ Master Degree 

□ Doctoral Degree 


Fig. 9.2 What is the highest level of education you have completed? 

• Underwriter 

• Vice President EU Affairs 

Two thirds of the respondents are responsible for Risk Management within their 
respective organization. As expected by the authors, at least 60 % of the 
respondents hold double functions in their organizations. 

Around 60 % of the organizations involve Executive Management within their 
Corporate Risk Management and at least 41 % have a specific Risk Manager, which 
verifies the responses made in question three that at least 60 % of the respondents 
hold a double function . Only 33 % have a specific Risk Management Committee 
which should jointly evaluate and mitigate the risks for the organization. Only 22 % 
involve an audit committee in their Corporate Risk Management (Fig. 9.3). 

Seventy percent of the organizations have, at least once, conducted a survey 
concerning safety and risks within their organization. Nevertheless, 30 % have still 
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Fig. 9.3 Who is involved in your Corporate Risk Management? 



Fig. 9.4 Have you ever conducted a survey concerning safety and risks in your company with all 
employees? 

not conducted a survey concerning safety risks despite this being crucial for 
identifying risks throughout the organization (Fig. 9.4). 

As anticipated by the authors, the majority of the organizations link their Risk 
Management with Safety Management, and nearly half with the Quality Manage¬ 
ment System. The empirical evidence still shows that there is no link in some 
companies to other management systems. This fact shows that there is further 
implementation effort needed to create the required links between the management 
systems (Fig. 9.5). 

Eighty-nine percent of the respondents classify their current safety level within a 
range of fair to excellent, with even 60 % rating their current safety level as 
excellent (Fig. 9.6). 
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Fig. 9.5 Do you link your Corporate Risk Management with other systems? 


0 . 0 % 0 . 0 % 



□ Excellent 

■ Good 

□ Fair 

□ Marginal 

■ Bad 

D Very bad 


Fig. 9.6 Regarding the operational situation, how would you personally classify your current 
safety level within your company? 

The following answers show that best industry practices and regulatory 
parameters are the most commonly used form of obtaining information for the 
improvement of the Safety Management System. The open answer option also 
reveals that the sharing of safety information within the industry is a common 
approach to improving each organization’s SMS (Fig. 9.7). 

Most of the organizations have concrete and specific strategic objectives in 
either their safety- and/or risk policy. Almost all organizations have documented 
strategic objectives in a specific policy (Fig. 9.8). 
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Fig. 9.7 Where do you get your information from in order to improve your Safety Management 
System? 
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Fig. 9.8 Which strategic objectives for Risk Management and Safety Management do you have? 


The survey also shows that the different organizations make use of various types 
of data/information sources for the Safety Management System (Fig. 9.9). 

The majority of the organizations use self-developed tools or buy software to 
help them with the implementation, monitoring and running of the SMS. Only 8 out 
of 27 make use of external consultants to help them with the implementation. This 
leads to an interesting question about the market availability of the appropriate 
consulting services concerning Safety Management (Fig. 9.10). 

The following question revealed interesting facts about the implementation of 
the different SMS modules. It demonstrates that the Safety Policy module is the 
easiest to implement, which shows that writing a static manual and policy was not a 
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30 



In-house Employees Operational Flight data Air safety 
surveys factors reports 


Fig. 9.9 What are your data/information sources for your Safety Management System? 



Fig. 9.10 Which tools/advice concerning the Safety Management System is your company 
using? 

real challenge during the implementation process for most of the respondents. What 
is quite interesting though is that approximately 20 % were not challenged by the 
implementation of any module. As anticipated by the researchers, the most chal¬ 
lenging module, with 42.3 %, was the Safety Risk Management module as it 
requires connecting many different interfaces within the organization (Fig. 9.11). 

The survey further reveals that the majority of the organizations follow either 
Civil Aviation Authority guidelines and/or directly the ICAO SMS framework 
(Fig. 9.12). 
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Fig. 9.11 Which Safety Management System module is the most challenging to implement 
within your company? 



framework Authority guidelines 
(e.g. FOCA, LB A 
etc.) 


Fig. 9 .12 Which standards concerning Risk and Safety Management is your company following? 















































Risk Management in Air Traffic Control 
"Operator's Risk - Back to Basics" 



Heinz Wipf 


Air traffic is a relatively safe means of transport compared to others. One of the 
reasons for this fact is the way air traffic has made safety a priority in its 
operations. 1 

As mentioned earlier, all productive entities 2 in civil 3 aviation are obliged to set 
up a Safety Management System, and the International Civil Aviation Organization 
(ICAO) or other accepted bodies 4 recommend or try to enforce them. 

Interestingly, the same ways and means concerning how to implement such a 
Safety Management System (SMS) seems to apply to all entities. 5 Without doubt, 
one could call the material at hand a standard way of introducing a SMS. 


1 See Perrow (1999), p. 123. He claims that there are structural explanations for the high level of 
safety. Most importantly, experience is accumulated for the vast number of flights carried out 
daily. Another reason is that aircraft accidents have an immediate impact on the demand side. 

2 See ICAO’s Safety Management Manual 3rd Edition 2013 § 3.1.2 “...safety management 
standards and recommended practices provide the high-level requirements States must implement 
to fulfil their safety management responsibilities related to, or in direct support of, the safe 
operation of aircraft. These provisions are targeted to two audience groups: States and service 
providers. ... the term service provider refers to any organization required to implement a safety 
management system .... (and) include: approved training organizations that are exposed to safety 
risks during the provision of their services; aircraft and helicopter operators authorized to conduct 
international commercial air transport; approved maintenance organizations providing services to 
operators of airplanes or helicopters engaged in international commercial air transport; 
organizations responsible for type design and/or manufacture of aircraft; air traffic service 
providers and operators of certified aerodromes ”. 

3 The scheme has even been adopted by military aviation in certain countries. 

4 For example Eurocontrol ESARR (see ESARR 4 - Risk Assessment and Mitigation in ATM, 
2001; Felici 2006, p. 1483) or EASA. 

5 See Rose (2008): The scheme has even been adopted by military aviation in certain countries, 
e.g. Swiss Air Force. 
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This chapter takes a closer look at whether this approach is supportive in 
promoting and enhancing safety in aviation. 

Analyzing the recommended method reveals that a risk-based approach 6 is 
promoted. It is therefore correct to ask which of the three entities—aircraft 
operators, air traffic service providers, and operators of airports 7 —are risk bearers. 

To this end a more formal definition of risk and eventual safety is unavoidable. 
Most people are conscious of the fact that in today’s world and even more so in the 
air transport system, risks are manifold . 8 This, however, is amplified, because many 
parts of the system have become privatized firms where the variety of risks has 
vastly increased (see Appendix: Types of Risk). 

In accordance with aviation practice, the remainder of this chapter concentrates 
on the risk of an aircraft accident as the ultimate hazard on a flight from A to 
B. While it is, in principle, irrelevant whether a flight is under visual or instrument 
flight rules , 9 the remainder of the text treats only the more instructive case of a flight 
under instrument flight rules. This is because an additional entity besides aircraft 
operator and airport come into play, namely the air navigation service provider and 
its full service range. For any flight of an aircraft operator, an airport is most often 
necessary . 10 


10.1 Security Risks 

Security is often mentioned in the same breath as flight safety. Nevertheless, 
security risks will not be addressed in this chapter, because security breaches 
concerning unlawful acts would have to be treated differently. The reason is that 
at least two 11 parties with their proper strategies are involved. This article assumes 
stochastic processes on the one side and a possible strategy on the other. Security 
risks would ask for a game theoretic approach. It remains an open question, 
however, whether a game theoretic approach would have to be taken into consider¬ 
ation for the situation where a group of risk bearers inside a firm are confronted with 


6 See ICAO’s Safety Management Manual 3rd Edition 2013 § 5.1.1 “An SMS is a system to assure 
the safe operation of aircraft through effective management of safety risk. This system is designed 
to continuously improve safety by identifying hazards, collecting and analysing data and continu¬ 
ously assessing safety risks. The SMS seeks to proactively contain or mitigate risks before they 
result in aviation accidents and incidents. It is a system that is commensurate with the 
organization’s regulatory obligations and safety goals.” 

7 Maintenance organizations are thought to be part of the operator and service providers while 
manufacturer’s of aircraft declare the reliability of their products to the aircraft operators; training 
organizations exposed to safety risks would most probably belong to aircraft operators. 

8 See Appendix: Types of Risk. 

9 Abbreviated VFR or IFR. 

10 Especially for flights with fixed wing aircraft. 

11 Or more. 
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organizational decisions, whereby the strategy from the group differs from the one 
management has imposed . 12 


10.2 The Notion of Risk 

A generally valid definition of risk is difficult . 13 In the remainder of this text the 
focus is on operational safety risks 14 and the suggested method for operational risk 
assessments is a quantitative risk analysis 15 (QRA). A first reason for this is because 
the three considered entities—aircraft operators, air navigation service providers 
and airports—are organizations , 16 and therefore base their choices on rationality . 17 
The second one is the number of important enough realizations with uncertain 
outcomes, namely flights or movements. A third one is the practitioner’s and 
engineer’s view that numbers warrant a certain rigor and allow for comparisons. 

In most definitions of risk, an adverse or negative outcome of a realization 
appears to generate a damage or loss . 18 

The occurrence of such an outcome, however, is not certain; but, there is a 
likelihood that goes with it . 19 For certain categories of risk takers, there exists some 
control over space and time, of where and when this adverse outcome may take 
place. If the outcome is negative, the question arises why risks are being taken at all. 
This is answered by the utility theory . 20 

Regarding quantitative risk analysis the statement, “A risk is deemed to be large 
if either the loss is severe, if the probability is high or both together. Similarly, a risk 
is deemed to be small if the loss is small, if the probability is low or both together,” 
is broadly accepted. 


12 So called “organisational factors” see also Gephart, Maanen, and Oberlechner (2012), Marais 
et al. (2004), p. 12 and Hollnagel (2008), p. 9. 

13 See Kaplan (1997), p. 407, Haimes (2009), p. 1647, Gephart et al. (2012), p. 141 also Aven 
(2011a), p. 28. 

14 Some of the different risk categories are intertwined with safety. For example, availability is 
connected to business risk while reliability is connected to safety risk, while in addition the two are 
analytically related. 

15 Often also probabilistic risk analysis PRA, which evaluates and quantifies risks associated with 
complex systems. In respect to consequences and likelihood see also Apostolakis (2004) and Aven 
and Zio (2011), p. 66, §2.1, also Alverbro, Nevhage, and Erdeniz (2010), p. 6 and Shyur 
(2008), p. 35. 

16 Made up of groups of individuals—see also Sage and White (1980), p. 440 $C. 

17 Even more so because all three should be high reliability organisations, notwithstanding the fact 
of bounded rationality by H. Simon; see also Sage and White (1980), p. 435 §IV, for a summary of 
definitions (Cookea and Rohledera (2006), p. 216. 

18 Risk is the expected value of loss. See Kahneman and Tversky (1979), p. 263. 

19 Haimes (2009), p. 1648 § 2. 

20 In Adams Richard and Payne (1992), p. 263 introduces the expectations of the total utility as the 
product of probability times gain; see also Sage and White (1980), p. 433. 
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Going a step further in defining quantitative risk, Kaplan and Garrick (1981) 
introduced a proposition, where risk is defined as a set of triplets. 

R = {(si,p h Xi)} where i = 1, 2, ... ,N + 1 


R: risk 

Si! a scenario identification or description 
Pi: the likelihood of that scenario 

xp is the consequence or evaluation measure of that scenario, i.e., the measure of 
damage. 

The scenario s 0 is the scenario of success and N + 1 is the sum of the scenarios 
nobody has thought of. With these definitions the set of triplets is complete, and so 
are all the risks. 

It is obvious that the variables p i? x i? themselves are uncertain. This fact is taken 
care of by having pi and Xi described by probability density functions. Although this 
extension of Kaplan and Garrick towards what they call level 2 is necessary, for the 
argument at hand it is not strictly needed. 21 

Furthermore, the following objective function for the expected risk 22 for a given 
operation is defined: 


v+i 

R = J2 P <' Xi 

i= 1 

Given the number of realizations, this product allows an entity to decide, 
whether the risks taken are acceptable and commensurate with the ones expected 
or planned for a certain type of IFR operation. The function also supports the 
statement on quantitative risk assessment above. 

R has to be distinguished from the total risk taken. The total risk taken is 
expressed in the risk curve 23 based on the cumulative likelihood of all the scenarios. 


10.2.1 Scenarios 

For simplicity 24 the following general categories of scenarios are developed as an 
example (Fig. 10.1). 

The occurrences in Table 10.1 are the prominent scenarios thought to lead to 
aircraft accidents. To define the set of triplets for R the Si are to be complemented by 


21 See also Coolen et al. (2010), S. 1. 

22 See also Haimes (2009), p. 1652 §7. 

23 Or survivability curve. 

24 It is a fact that accidents also happen, while the aircraft is standing or manoeuvring on ground. 
For the complete list see the taxonomy of ECCAIRS 4.2.6 based on ICAO’s ADREP 2000. 
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Fig. 10.1 Phases of flight 


Occurrence 3 k 

Scenario Collisions 

Phases of flight c Obstacle Terrain Aircraft In-flight damage b 


Take-off 

su 

Sl2 

s 13 

S14 

En-route 

S 21 

s 22 

s 23 

s 24 

Approach 

S 31 

S32 

s 33 

S34 

Landing 

S 41 

s 42 

S43 

S44 

Unknown 

S5 d 





a ECCAIRS 4.2.6 “Occurrence classes” 
b The airframe structure render it not flyable 
c ECCAIRS 4.2.6 “Event phases” 
d s 5 than matches the scenario N + 1 


Table 10.1 Scenarios 
N = k-j + l=4-4+l = 17 
where i = k + j for a Flight 
from A to B 


Pi and xp Any flight is thought to evolve along the above phases. 25 It is obvious that 
more detailed phases of flight and a finer occurrence scheme lead to a polynomial 
increase in scenarios. 


10.2.2 Likelihood 

Empirical values for pi the likelihood of a scenario for a given type of operation are 
often known from experience. Where empirical data is missing and a stationary 
process is identified, a Bayesian approach is usually suggested to estimate the 
likelihood. 26 Bayesian 27 theory is also used when the likelihood of an occurrence 
for a sequence of events leading to an aircraft accident is to be estimated. The most 
general start then is the computation of the conditional probability to estimate the 
likelihood for the scenario. The frequency of such a scenario is then quantified as a 
product of probability terms of the individual events in this sequence. 28 


25 Operational reality can be more closely modelled in state space. A Markov process would then 
describe the changes from one phase of flight to any another. For example, if a landing is aborted 
and a missed approach is initiated without passing through an en-route phase. See also Aven 
(2011b), p. 516. 

26 See Aven (2011a), p. 28; more general (Der Kiureghian & Ditlevsen, 2007, p. 13; Helton, 
Johnson, Oberkampf, & Sallaberry, 2008). 

27 See Netjasov and Janie (2008), p. 215 §3; also Brooker (2011), p. 1142. 

28 See Zimmerman and Bier (2002), S. 6. 
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The advantage of a Bayesian approach comes into full effect when no 
occurrences are available. A prior assumption, often based on expert judgment, 29 
is then gradually modified whenever empirical data from operation is available. 
Such an evidence-based approach is of considerable practical relevance, especially 
if a new technology or new procedure is introduced. 


10.2.2.1 Hazards 

In conjunction with the above set of risks a corresponding set of hazards 30 is 
introduced. 


H = {(si,Xi)} 


The hazard out of the set of hazards H is related to scenario Sj and conse¬ 
quence Xi. It can result in damage or loss and is a major hazard to the aircraft in 
flight. For the remainder of the text the focus is on risks related to those hazards, 
meaning loss of property or lives. 31 


10.3 Consequences: Accidents 

A general definition of an accident is an event that is unintended; causes untoward 
damage to persons, objects or the environment, and affects the functioning of the 
system. 32 Aircraft accidents are safety occurrences. 33 

According to ICAO three main categories of such safety occurrence are 
distinguished: 

(a) Accidents and serious incidents 

(b) Incidents and 

(c) Other safety occurrences. 

Aircraft accidents, for the most part, are thoroughly analyzed and extensively 
documented. 34 Although results are ex post and the official publication of the 


29 See also Lambert et al. (1994), S. 733. 

30 For a definition see ICAO’s Safety Management Manual 3rd Edition 2013 § 2.13.2 “... a 
condition or an object with the potential to cause death, injuries to personnel, damage to equipment 
or structures, loss of material, or reduction of the ability to perform a prescribed function. For the 
purpose of aviation safety risk management, the term hazard should be focused on those conditions 
which could cause or contribute to unsafe operation of aircraft or aviation safety-related equip¬ 
ment, products and services.” 

31 Conscious of the fact that all loss of property or life may eventually turn into a monetary or 
financial risk, hazards may be insured. In this case the insurance premium maps the insurable 
safety risk onto a cost dimension, which is to be compared to the average risk above. 

32 See Perrow (1999), pp. 64-66. 

33 Events that are or could be significant in the context of aviation safety. 

34 See ICAO Annex 13. 





10 Risk Management in Air Traffic Control "Operator's Risk - Back to Basics" 


101 


Fig. 10.2 Scatterplot 
showing the variability in 
number of fatalities in aircraft 
accidents in relation to the 
maximum take-off weight in 
kg. See Flage and Aven 
( 2012 ) 



reports often has a substantial time lag, 35 the range of damage and loss Xi incurred 
for a given type of operation is accessible in detail. 

Given this empirical data, it is thus also possible to quantify Xi in probabilistic 
terms for a particular scenario. 

Figures 10.2 and 10.3 show the available statistical information of empirical 
evidence of x i? namely the loss of life. The loss is the logarithmic 31 number of fatalities 
in aircraft accidents from 1st Jan 2000 to 23rd Aug 2013 for occurrences with one 
fatality or more. The graph shows the losses grouped as a function of the weight class 
(see Table 10.2) of the aircraft. The data is publicly accessible from the “Aviation 
Safety Network Database” (Courtesy of H. Ranter). The sample size is 808. 

The median, indicating expected loss, clearly rises 37 as the weight of the aircraft 
increases and so does the variability. Damage, in monetary terms is somewhat more 
intricate to calculate. Part of the reason lies within ICAO reporting schemes. 
However, accident reports and the service age of the aircraft involved will allow 
for reasonable estimations. 

ICAO defines an aircraft accident (see Appendix: Accident Definitions) rather 
extensively. 38 This has an impact on the variance and the expected value of the 
probability distributions for xi. It does make sense to assume a central tendency in 
the distribution (see Appendix: Joint Probability Distribution of Aircraft Weight 
and Total Fatalities). Still a bias towards the lower end of damage and loss cannot 


35 Due to the intricate accident investigation. 

36 log 10. 

37 Lower losses in class 5 may be due to limited occurrences available, indicated also by the 
reduced surface of the boxplot, which is a function of sample size (width proportional to the 
square-roots of the number of observations in the groups). 

38 ICAO’s accidents therefore do not necessarily always translate into catastrophes. 
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Fig. 10.3 Boxplots showing 
empirical evidence of the 
consequences Xj 


Table 10.2 Weight 
classes of aircraft 




— i -1-1— 

2 3 4 

Wstght Class Aircraft 

-1- 

5 

Weight class 

MTOW min in kg 

MTOW max in kg 

1 

0 

2,250 

2 

2,251 

5,700 

3 

5,701 

27,000 

4 

27,001 

272,000 

5 

272,001 

oo 


be ruled out. The ICAO’s definition in Appendix: Accident Definitions with the 
taxonomy under ECCAIRS, does not concur when using simple count data. The 
ECCAIRS suggested method is towards using categories, an approach leading to 
Kaplan and Garrick’s multidimensional approach. 39 

The distinction between final accidents and ones where a sequence of events 
leads to an adverse outcome is of importance when estimating the likelihood of an 
aircraft accident. These are occurrences such as a sudden structural failure or 
extreme weather phenomena (in Table 10.1). However, aircraft accidents most 
often do develop in sequences of mishaps and are thus called system accidents. 40 
When applying conditional probabilities to these sequences, some caution has to be 
exercised. 41 This is because a tight coupling renders prediction of the system 
reaction difficult. This leads to the question whether the air transport system is 
tightly or loosely coupled. It is tightly coupled in certain microscopic 42 aspects 


39 See also Kaplan and Garrick (1981), S. 14. 

40 “System accidents involve the unanticipated interaction of multiple failures.” From 
Perrow (1999). 

41 System accidents start with the failure of a part and are characterized by the progression of the 
accident involving multiple failures and those failures interacting in ways that are not anticipated 
by nor are they comprehensible to the designers and properly trained operators (Perrow, 1999). 

42 On a per flight basis. 
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which depend on the phase of flight. Interactions occur on the flight deck and with 
air traffic control 43 or on the ground with airport facilities. Albeit, the system 
operators are aware of the fact that they have the obligation to provide enough 
resources in order to assure a running system, 44 there may be times such as peak- 
hours on an international hub airport, where resources become constrained. General 
statements on tight or loose coupling (Marais et al., 2004, p. 3) should be avoided. 
In any case, the scenarios (Table 10.1) would allow for a qualified decision on 
whether the application of conditional probabilities to estimate likelihood is 
justified. The transport system on a macroscopic 45 level is inherently 
decentralized. 46 Therefore, tight coupling is not really an issue. However, recent 
developments in air traffic management 47 have shown efforts in concentration and 
centralization, and this will cause an increase in complexity. 48 Large international 
hubs are just another example on the airport entity side. 


10.4 Risk Bearers 

Individuals and organizations bear risks in aviation. But not all individuals are free 
to choose the risks they want to bear. Therefore, it makes sense to classify risks in 
different categories. From now on, neither societal nor individual risk will be the 
focus; instead, the emphasis will be on group risk. 

Persons exposed to risk are risk bearers and possible victims. They may be a part 
of the system in the sense of carrying out a crucial function. A classification is 
necessary because the appreciation of risk is different regarding voluntary and 
involuntary exposure. Voluntariness in risk exposure is, for all but the fourth 
party (see Fig. 10.4), of varying importance. There are always personal choices 
involved. According to Slovic, 49 the perceived benefit of air transport technologies 
is more than four times higher than the perceived risk. Furthermore, individuals 
tend to be more positive towards taking risks if they expose themselves voluntarily. 
Perrow suggests a suitable categorization. 50 

Examples of a trade-off between voluntary exposure and involuntary exposure 
are aircrews. They have chosen to work for an airline and by earning an income the 


43 Part of air traffic services (ATS). 

44 See provisions for air traffic flow management positions (ATFM). 

45 For example a flight region. 

46 Although the system is tightly coupled on certain aspects like cockpit interactions, flight deck 
and aircraft or ATC-aircraft, but in general stays a decentralised loosely coupled overall system 
(Perrow, 1999). 

47 For example the Single European Sky (SES) and the creation of Functional Airspace Blocks 
(FAB). 

48 In agreement with Perrow’s arguments on efficiency, complexity and coupling (Perrow, 1999, 
pp. 87-96). 

49 “The perception of risk” Slovic P. ed. London 2000. 

50 See Perrow (1999), p. 67. 
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Category 

Characteristics 

Description 

Risk exposure 



Persons with explicit 

a 




1 st party 

Operators of the 

control responsibility as 

+3 

a 

o 

> 


+5 


system 

well as other workers who 


o 




are on-site. 



> 


2nd party 

Non-operating 
personnel or 
system users 

Passengers or the users of 
the system and those who 
exercise no control of its 
operation. 



3rd party 

Innocent bystanders 

Persons on the ground 
where an accident happens. 





Persons confronted with the 





4th party 

Future generations 

future consequences of the 
accident. 






Fig. 10.4 Categories of risk bearers (Perrow, 1999, p. 66). Risk exposure (4th column heading)-. 
qualitatively, for in depth view (see Kahneman & Tversky, 1979) 

risk exposure is only partially voluntary. For the population living or working near 
airports 51 that are located close to metropolitan regions, it is difficult to argue that 
they could simply choose to live elsewhere. So to them the risk is almost completely 
involuntary. 

The first party risk takers are the ones that staff the three entities that run the air 
transport system. This group, depending on which entity they belong to, is thus the 
one that influences or controls, to a varying degree, the triplets determining risk 
R. This group is obviously heterogeneous across and within the three entities, 
i.e. implying operation and maintenance personnel or managerial staff. Although 
the cited sources claim that the overall responsibility lies with the top management 
position, it is understood that decisions are taken on all levels in the organizations. 
It is a matter of on-going research what the responsibilities and decisional powers 
are that have an impact on safety. 

It is, however, clear from the description in Table 10.2 that the possibilities to 
manage risk are with the group of first party risk bearers. 52 The focus of interest for 
the remainder of the chapter is therefore on them. 


10.5 Managing Risk 

In managing risk it is generally understood that the risk should be reduced to an 
acceptable level. Clearly, the operation of flying an aircraft from A to B is 
hazardous. 


51 Vrijling et al. (2004). 

52 Second and third parties have only indirect power to influence risk, mostly through legal action 
or politically via impositions of rules and regulations. An example in this case is the population 
near to airports in metropolitan areas. Direct actions by third party risk bearers against air transport 
to reduce risk would be unlawful acts. 
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Returning to the quantitative risk analysis the question to be answered is which 
of the first party risk bearers, grouped by entity, has the capacity to manage the risk 
of an aircraft accident and to what extent? 

Therefore, managing risks means an entity must be in a capacity to influence the 
triplet defined above—namely scenario, probability and consequences. 

For the sake of argument, the interaction between an aircraft and air traffic 
control 53 under IFR is taken as an example. 

While the phase of flight is a planned act of the flight crew, entering a new flight 
phase under IFR needs a request and is entered only with clearance from air traffic 
control. The reverse is only exceptionally true. The flight crew requests a change to 
a new flight phase as part of the planned flight from A to B. Due to efficiency, air 
traffic control is in the position to deny the flight crew’s request. Naturally, given 
the constraint of the aircraft’s fuel reserves, the granting of the request cannot be 
postponed indefinitely. 

The semaphored interaction by air traffic control assures that separation is 
established (note part of the set under “Collision”) in (Table 10.1). 

Now the likelihood that a certain scenario takes place is, in this case, governed 
by the flight deck and air traffic control decisions. However, it can be shown that under 
certain assumptions the layers of influences (see Fig. 10.5) diminish from top to 
bottom (for a more formal explanation, see Appendix: Decision Layer and Influence). 

If the en-route flight phase is taken as an example, four outcomes (as in 
Table 10.3) become possible. 

The diagonal probabilities p aa and p bb are part of normal operations. The 
off-diagonal elements though are of interest. While p ab is part of the safety risk 
under consideration, flight operations would consider p ba a business risk. 54 The 
probability p ab is itself a random variable having a probability density function and 
a possible dependence on space and time, 55 e.g. traffic density. 

While the aircraft operator has to endure the damage to the aircraft plus the 
possible loss of lives, the air navigation service provider seems to have merely some 
influence. The damage and loss of its own assets would be limited. 56 Since the 
magnitude of damage and loss is positively correlated with the weight of an aircraft 
(Fig. 10.1 and Appendix: Kinetic and Chemical Potential Energy of Aircraft). 57 The 
operator, by choosing the type of aircraft and the amount of fuel carried, has 
almost 58 exclusive control over damage and loss. 


53 Provided as part of air navigation services or more precisely air traffic services. From ICAO 
Annex 11 July 2001 §2.2 “..objectives of the air traffic services shall be to: a) prevent collisions 
between aircraft; b) prevent collisions between aircraft on the manoeuvring area and obstructions 
on that area; c) expedite and maintain an orderly flow of air traffic; d) provide advice and 
information useful for the safe and efficient conduct of flights; e) notify appropriate organizations 
regarding aircraft in need of search and rescue aid, and assist such organizations as required.” 

54 Leading to additional fuel burn and unwanted delay. 

55 Subject to data analysis e.g. regression. 

56 Except if an airport tower or other air navigation facilities were damaged by an aircraft. 

57 See Freitas (2012). 

58 Airports may add to damage and loss when exposing assets like buildings. 
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Fig. 10.5 Interactions amid entities on different layers resulting in distinctive influence 


Table 10.3 Probabilities 
resulting from an air traffic 
control clearance 


If separation 



Assured 

Not assured 

Clearance 

Issued 

Paa 

Pab 


Not issued 

Pba 

Pbb 


The opposite holds for an airport. It has little to no influence over the flight 
phases and limited impact on the likelihood of most of the scenarios, but could 
suffer damage and loss of its own assets as a result of an aircraft accident on its 
premises. The only measure to reduce risk in operations is to reduce the maximum 
weight and size of aircraft it can accommodate. 59 That obviously correlates with the 
officially published airport reference code (Table 10.4). 60 

Not only air transportation, but also the services industry in general is known for 
producing their goods between service provider and client in a convoluted way. 
Nevertheless, it is worthwhile to approach the processes in a structured way. The 
likelihood of a scenario may serve as an example. The different entities (Fig. 10.4) 
contribute to the final likelihood. The resulting probability density that allows an 
estimate of the likelihood is the convolution of the individual ones. 

Pi(4>i) = Piop(4>io P )*P iATC {fiiATc) 


59 This is not unlike a regulatory authority which can limit the use of certain aircraft. 

But restrictions interfere with economics and in conjunction with a quasi-monopoly of an airport 
will lead to inefficient solutions. 

60 See ICAO Annex 14: Table 1-1. 
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Table 10.4 Summarizing different entity’s influence on risk 


Scenario Si 

Aircraft Through the choice of the 
Operator flight phase the scenario is 
predetermined. The 
influence is high 


ANSP Acting on a second layer in 
Fig. 10.1 the influence 
through clearances (and 
information) on the 
scenarios is limited 


Airport Influence on the scenario is 
almost nonexistent, 
because the very function 
of an airport as a 
transportation node is 
landing and departing 
aircraft 


Likelihood, probability Pi 
The likelihood is governed 
by multiple causes like 
equipment reliability and 
human factors. The 
influence on probability 
density function of Pi is high 
The likelihood is governed 
by multiple causes like 
equipment reliability and 
control of the airport 
environment 

(e.g. temporary obstacles). 
The influence on 
probability density function 
of pi is high 

The likelihood is governed 
by multiple causes like 
equipment reliability and 
the control of the airport 
environment 

(e.g. temporary obstacles). 
The influence on 
probability density function 
of pi is high 


Damage, loss Xi 
Through choice of the 
aircraft type and fueling 
connected to the mass. The 
influence on the potential 
damage and loss is high 


Influence on the damage 
and loss is limited, because 
all sizes of aircraft in the 
controlled airspace have to 
be serviced 


Influence on the damage 
and loss is given through 
the classification and layout 
of the airport 


10.6 Regulatory Authorities and Risk 

So far, little has been said about the accepted bodies and regulatory authorities. 

The question can be posed whether a regulatory authority, typically a civil 
aviation authority, has any safety risks to bear. As they indirectly intend to limit 
the risk exposure of the four categories in Table 10.2 that obviously gives any 
regulation a high influence on Risk Management. In the context of an adverse 
scenario a regulation would turn out to be a sort of a prohibition, 61 reducing the 
likelihood of occurrence to virtually nil. To avoid these scenarios, conservative 
regulation of system design and operation has to be imposed. Often, an identified 
worst-case scenario or a worst credible accident serves as a guideline. 62 

Such an approach, however, given the different variables and probabilities 
involved, will turn out to be sub-optimal. Moreover, the identification of worst- 
cases often implies subjectivity 63 and arbitrariness in the definition of the scenarios. 


61 See also Kaplan (1997), p. 416 § 8.2. 

62 “Risk assessors usually call for less regulation and are severe in their criticism of the agencies” 
(Perrow, 1999, p. 307). 

63 “...we should never ask an expert for his opinion. What we want from an expert is, his 
experience, his information, his evidence” (see Kaplan, 1997, p. 416 § 8.2). 
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In principle that leads to the imposition of unnecessarily severe regulatory burdens. 64 

Is it possible instead that regulatory activity—through oversight, the collection 
and dissemination of empirical data to let first and second party risk takers make 
qualified decisions, and limit the risk exposure for third party risk bearers—could 
be sufficient? 


Conclusion 

In an aviation transport system value chain it can be argued whether every entity 
has to take Risk Management into consideration in its safety activities. Instead, it 
is proposed first to analyze where the risk bearers are located. 

There is evidence that the aircraft operators bear the final risks. Although 
other entities like airports and air navigation service providers are part of a 
hazardous operation, they have a limited impact on the exposure to safety risks. 
They suffer limited impact from safety risks. 

It is therefore necessary for the aircraft operator to have a risk-based Safety 
Management System. Risk assessment is part of Risk Management and should 
only be performed by the most influential entity in collaboration with the others 
that support the addressed flight operation. The necessity to assess the risk of 
flights seems best to remain with the operators. This is because it appears to be 
the only entity that predetermines the scenarios, can estimate convoluted 
likelihoods, and control incurred damages and losses when deciding on the 
type of aircraft used. The influence of the other entities on likelihood, damage 
and loss are unevenly allocated. 

When taking a macroscopic 65 view of an air transport operation, it is 
recommended to leave the risk-based safety management with the aircraft 
operator. 

Furthermore, when employing quantitative risk assessment, the lead for 
assessing safety should be with the aircraft operator in conjunction with the 
other two entities—air navigation service providers and airports. The operator is 
the one to ultimately decide whether to fly through a given airspace or take off 
and land at a specific airport and the one entity that must ask the questions “What 
can happen? How likely it is that it will happen? And if it does happen, what are 
the consequences?” 

While setting the likelihood 66 as a standard value makes sense for the air 
navigation service provider, it is doubtful whether it will also be applicable for 
every type of flight operation. For the average risk 67 of a realization it must be 
compatible with the aircraft operator’s way of conducting its flight operation. 
Given different acceptable risks and the considerable variability in the 


64 See also Aven and Zio (2011), pp. 64-74. 

65 That is group not individual risks, and many realizations and not a single flight. 

66 See also level of safety or target level of safety (TLS). 

67 The product of likelihood times consequences see above. 
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consequences, the likelihood for a given type of flight operation 68 cannot be a 
standard value. 

Different risk management activities in general increase the complexity of a 
system and lead to the creation of incompatibilities. 

This is especially true in air transport, where we see an increase in system 
complexity; thus, care must be taken that the creation of incompatibilities is 
avoided, not only globally but also locally. 

Acknowledgements The author would like to thank Harro Ranter for the accident data sets, Jules 
Hermens Eng Civil Aviation Authority the Netherlands and John Dyson Eng NATS for a critical 
review and discussions on various topics, Prof. Dr. Wolfgang Kroger of the Risk Centre at ETH 
Zurich for the advice regarding industrial risks, and several other peers from air navigation. 


Appendix: Types of Risk 


Risk 

Manifestation 

Strategic 

- Consumer behavior 

- Policy changes 

- Regulation changes 

- Marketing 

Financial 

- Loan management 

- Fraud 

- Capital management 

Operational 

- Products, projects, design 

- Labor force problems 

- Political demonstrations 

- Property 

Commercial 

- Parts delivery 

- Joint venture partners problems with management 

- Legal 

Technical 

- Default of technical infrastructure 

- Fire 

- Explosions 

- Flood 

- Natural catastrophes 

Environmental 

- Activities of green activists 

- Change in regulations 

- Unintended pollution 

- Public perception 


68 For example Adams Richard and Payne (1992), p. 39. 
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Appendix: Accident Definitions 
ICAO 69 

An occurrence associated with the operation of an aircraft which, in the case of a 
manned aircraft, takes place between the time any person boards the aircraft with 
the intention of flight until such a time as all such persons have disembarked, or in 
the case of an unmanned aircraft, takes place between the time the aircraft is ready 
to move with the purpose of flight until such a time as it comes to rest at the end of 
the flight and the primary propulsion system is shut down, in which: 

(a) a person is fatally or seriously injured as a result of: 

- being in the aircraft, or 

- direct contact with any part of the aircraft, including parts which have 
become detached from the aircraft, or 

- direct exposure to jet blast, except when the injuries are from natural causes, 
self-inflicted or inflicted by other persons, or when the injuries are to 
stowaways hiding outside the areas normally available to the passengers 
and crew; or 

(b) the aircraft sustains damage or structural failure which: 

- adversely affects the structural strength, performance or flight characteristics 
of the aircraft, and 

- would normally require major repair or replacement of the affected compo¬ 
nent, except for engine failure or damage, when the damage is limited to a 
single engine, (including its cowlings or accessories), to propellers, wing 
tips, antennas, probes, vanes, tires, brakes, wheels, fairings, panels, landing 
gear doors, windscreens, the aircraft skin (such as small dents or puncture 
holes), or for minor damages to main rotor blades, tail rotor blades, landing 
gear, and those resulting from hail or bird strike (including holes in the 
radom); or 

(c) the aircraft is missing or is completely inaccessible. 

Dataset from the Aviation Safety Network Database' 

- Accidents (no incidents, hijackings or sabotage) 

- Fatalities (at least one among the plane’s occupants) 

- Aircraft model certified to carry 12 passengers or more 

- Aircraft damaged beyond repair 

- Data from 1st January 2000 until 23rd August 2013 


69 From ICAO Annex 13 2010 p. 1-1. 

70 http://aviation-safety.net. 
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Definition: Massgroup nr. as used in ECCAIRS 

1: <2,250 kg 

2: 2,251-5,700 kg 

3: 5,701-27,000 kg 

4: 27,001-272,000 kg 

5: >272,000 kg 

Maximum Take-Off Weight (MTOW) in kg. 71 


Appendix: Joint Probability Distribution of Aircraft Weight 


and Total Fatalities 



The 3d Graph shows central tendencies supporting arguments for expected values. 


71 Maximum certificated for the entire model range, not of the accident plane in question. 
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Appendix: Decision Layer and Influence 



Source : Own illustration 

With respect to the layers in Fig. 10.5, this Gauss-Venn diagram shows the 
influence of decision B, given decision A : under the assumption of an equal 
decision space distribution. For example, if the decision space of A is extended 
while the one of B remains, the growing impact of A is obvious 


Appendix: Kinetic and Chemical Potential Energy of Aircraft 
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72 Freitas (2012), p. 12 Table II, p.13 Table III. 
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The difference in potential energy between take-off and landing reaches two to 
three orders in magnitude. 73 
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Importance of Fatigue Risk Management 

Stefan Becker and Ernst Kohler 


11.1 The Relevance of Fatigue in Aviation 

Fatigue is caused by sleep deprivation. Sleep is a basic human need. When you are 
thirsty you drink; when you are hungry you eat. And when you are tired, only sleep 
will prevent fatigue and its almost inevitable and, sometimes, extremely serious 
consequences. For the aviation industry, the question how far fatigue poses a risk of 
accident for crews, patients, 1 passengers, the public at large and, in the end, also 
companies needs to be addressed. 

Fatigue does not pose a risk in itself, but is rather a physiological condition 
caused by a number of factors. The following are contributing factors: 

• Individual sleep need, including existing cumulative sleep debt, 

• Sleep quantity, 

• Sleep quality, 

• Circadian rhythm, 

• Length of current and preceding duty periods, 

• Exposure of the body to the environment (e.g. solar radiation, light, noise, 
vibrations, heat, changes in air pressure), 

• Absolute and relative physical and mental effort, 

• General physiological constitution, including previous medical conditions, 

• Nutrition, 

• Stress (in both professional and private life) and, 

• Where appropriate, time zone adjustments (long-haul flights). 


1 As per its deed of foundation, Swiss Air-Rescue Rega conducts aeromedical flights only. 
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It is the impact of fatigue or over-tiredness on a person’s performance, and the 
resulting error frequency and severity that pose potential critical risks. These risks 
need to be managed. 

11.1.1 Fatigue: A Measurable Factor? 

First, it is necessary to establish the scientific definition of fatigue. The ICAO 
defines fatigue as follows: 

A physiological state of reduced mental or physical performance capability resulting from 
sleep loss or extended wakefulness, circadian phase, or workload (mental and/or physical 
activity) that can impair a crew member’s alertness and ability to safely operate an aircraft 
or perform safety-related duties. 2 3 4 

As far as measurability is concerned, two different approaches need to be taken 
into consideration: subjective and objective fatigue. 

The challenge posed by subjective measurement values is their comparability 
and applicability with regard to objective physiological states. In practice, for 
subjective evaluations the following scales are used, which enable physiological 
conclusions to be drawn: 

• Karolinska Sleepiness Scale (KSS), 3,4 

• Visual Analogue Scale to Evaluate Fatigue Severity (VAS-F) 5 

• Samn Perelli Scale (SPS) 6 

In order to correlate the findings with the above-mentioned scales, study 
participants are generally also asked to keep a sleep logbook. 

Objective measurement results relating to fatigue and sleep can be achieved by 
means of invasive polysomnography together with electroencephalograms (EEG), 
electro-oculography or body temperature measurement, or by non-invasive 
actigraphy. In practice, however, only actigraphy is generally used in an operational 
setting. The actigraphs currently on the market, usually in the form of a wristwatch¬ 
like device, have the necessary sensitivity and specificity. Thanks to their 
non-invasive application, the measurement results are also less influenced by the 
device itself, as it is generally not perceived as a “foreign body”. 

11.1.2 Fatigue: An Overestimated Safety Risk? 

Fatigue is without doubt one of the most frequently underestimated risks connected 
with error making. 7 This is particularly due to the fact that without appropriate 


2 International Civil Aviation Organization (ICAO) (2012). 

3 Putilov and Donskaya (2013). 

4 Shahid, Wilkinson, Marcu, and Shapiro (2012a) 

5 Shahid, Wilkinson, Marcu, and Shapiro (2012b). 

6 Samn and Perelli (1982). 

7 Akerstedt (2000). 




11 Importance of Fatigue Risk Management 


117 


training, people find it difficult to accurately assess their own level of fatigue. Even 
as working time progresses, they continue to subjectively assess their fatigue level 
as low, although from an objective point of view it has increased. 8,9 Correspond¬ 
ingly, the potential risk is also underestimated. 

During long-haul flights, particularly long periods of wakefulness and little sleep 
give rise to acute sleep debt, of which the crew member is more conscious, and can 
thus more easily assess the fatigue-related risk. However, with regular, shorter 
overall duty periods, crew members build up, over a period of days, a cumulative 
sleep debt, of which they are generally much less aware. Assuming that an 
individual requires 8 h of sleep a day, but only obtains 7 h each night over a period 
of a working week (Monday to Friday), at the end of this period he has accumulated 
a sleep debt of 5 h. As a result, the operational risk can increase to the same degree 
as if he had slept normally for the first four working days but had had just 3-4 h of 
sleep during the night from Thursday to Friday. 

On long-haul flights, when the circadian body clock is desynchronized due to 
changing time zones, this gives rise to so-called jet lag. Common symptoms are 
fatigue due to sleep disruption, exhaustion and a feeling of being unwell, as well as 
confusion and digestion problems. 

Without special training, crew members often underestimate the impact of sleep 
debt and the ensuing risks. Already a sleep debt of 3 h is comparable to an increased 
level of alcohol in the blood that would preclude the person concerned from driving 
a car, and certainly from flying an airplane. 

This also applies to situations where, for example, crew members sleep for 10 h 
but then have prolonged periods of wakefulness with sleep restrictions. Despite the 
preceding lengthy period of sleep, after the 12th hour of being awake, the average 
performance degrades, and by the 16th hour the cognitive performance deficit is 
comparable to that of a person with a blood alcohol concentration of approx. 
0.04 %. 10 Being awake for more than 20 consecutive hours impairs reaction 
times to a level similar to those found with a blood alcohol level of 0.1 %. 11,12 
Already with a blood alcohol concentration of 0.06-0.09 % there is a 1.36-3.3 
times higher risk of an accident (in the 95 % interval). 13 

Sleep deprivation and prolonged periods of wakefulness have immediate 
effects. 14,15 

• Up to 50 % degradation in reaction speed 

• Reduced memory 


8 Sasaki, Kurosaki, Mori, and Endo (1986). 

9 Van Dongen, Maislin, Mullington, and Dinges (2003). 

10 Dawson and Reid (1997). 

11 Lamond and Dawson (1999). 

12 Rajaratnam and Arendt (2001). 

13 Compton et al. (2002). 

14 Van Dongen, Belenky, and Krueger (2011). 

15 Williamson and Feyer (2000). 
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• Impaired vigilance 

• Reduced hand-eye coordination 

• Reduced situation awareness 

• Impaired decision-making ability 

• Increased micro sleeps (momentarily nodding off) 

• Prolonged sleep inertia immediately after waking up 

• Increased irritableness 

• Increased apathy 

Moreover, the long-term health effects of chronic fatigue, such as cardiovascular 
diseases, diabetes and metabolic disorders, should also be taken into consideration. 


11.1.3 Fatigue: An Individual or Systemic Factor in Accident 
Causation? 

Although fatigue is an individual physiological reaction on the part of crew 
members, systemically promoting or inhibiting framework conditions should also 
be taken into consideration. Ultimately, a fatigue-related incident or even a fatigue- 
related accident is the end of a causal chain of events, or “error trajectory”, where 
the fatigue risk was insufficiently considered at various points in the process, or 
where the mitigation strategies were not effective. Naturally, the chicken and egg 
question can be posed in this respect—that is, whether the cause was purely an 
individual error resulting from fatigue, or whether a system had facilitated it. 

In the field of aviation, fatigue is a risk that, like all other risks related to flight 
operations, must be addressed within the framework of a Safety Management 
System (SMS). As it is a complex risk, a fatigue-specific sub-SMS, known as a 
Fatigue Risk Management System (FRMS), is necessary. 

However, Risk Management does not come to an end on completion of the last 
flight of the day/shift. In accordance with the duty of care, the journey home after 
work by a potentially overtired employee should also be taken into consideration. 16 


11.2 Rega's Fatigue Risk Assessment Study 
11.2.1 Aim of the Study 

For a number of years, Swiss Air-Rescue Rega has been aware that fatigue on the 
part of its crew members can have consequences. For this reason, Rega decided to 
evaluate this risk as precisely as possible on a scientific basis, and to develop risk- 
based mitigation strategies. To this end, an independent company was entrusted 
with the following tasks: 


16 Scott etal. (2007). 
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• General identification of fatigue risks within the scope of Rega’s flight 
operations and other framework conditions, such as the duty roster model and 
its potential impact on safety 

• Personal interviews with pilots relating to fatigue and sleeping habits 

• Investigation and analysis of sleep and fatigue relating to pilots and other crew 
members, both during and outside official duty periods 

• Support in the development of effective mitigation strategies, e.g. by designing 
new duty roster models and introducing a company and operation specific 
Fatigue Risk Management System (FRMS). 

Rega carried out several sub-studies on fixed-wing and helicopter missions, 
relating to each of the two operations—helicopter emergency medical services 
(HEMS) and airplane emergency medical services (AEMS)—separately. 

These studies also aimed at increasing staff awareness of the risks relating to 
lack of sleep, prolonged periods of wakefulness and the ensuing physiological and 
psychological effects. 

The results of the studies were also intended to form a base for establishing a 
Fatigue Risk Management System (FRMS). 


11.2.2 Materials 

Basically, all flight crew members were made available to participate in the studies 
and were guaranteed absolute anonymity. In order to measure the individual fatigue 
levels objectively, each crew member was given a “ReadiBand” actigraph. 
ReadiBand is a highly sensitive wristwatch-like device that accurately monitors 
fatigue and sleep by means of movement and acceleration sensors. Preliminary 
studies, with the aim to validate the design, showed that this actigraph provides 
92 % of the accuracy of laboratory sleep testing without using invasive and complex 
polysomnography methods. The device is waterproof and indestructible. The only 
function it has for the wearer is that it indicates the time, so it can be worn instead of a 
watch. The study participants were then required to permanently wear an actigraph 
for a period of two weeks (helicopter crews) or 3^1 weeks (fixed-wing crews). 

In addition to the actigraphs, all study participants kept a personal logbook in 
which they recorded both the subjective level of fatigue and any accompanying 
circumstances, which was then correlated with the objective data. To this end, the 
crew members evaluated their level of alertness in accordance with the Samn- 
Parelli scale (SPS), 17 both before and after periods of sleep and naps. They also 
noted down the quality of their sleep and their subjective sleep need. 

In order to assess the effects of sleep debt and circadian influences on perfor¬ 
mance, the study participants were required to carry out so-called psychomotor 
vigilance tasks (PVT), in the form of reaction tests, at predefined times before, 
during and after flights for the entire duration of the study. These involved standard 


17 Samn and Perelli (1982). 
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tests, developed by the Walter Reed Army Institute of Research, 18 which were 
performed on an electronic Palm Pilot organizer provided to each study participant. 

During the study, each participant was contacted twice by telephone by the 
independent research institute. The purpose was, on the one hand, to ensure that the 
data collection was functioning properly and, on the other, to ask participants about 
social or other environmental factors that could affect the quantity and quality of 
their sleep in order to integrate these findings into the study. 

After this data collection phase, the actigraphs and logbooks, as well as the PVT 
test devices, were directly sent by the study participants to the independent research 
institute so that the data could be read and evaluated. In order to also be able to 
compare the results at an international level, the Fatigue Avoidance and Scheduling 
Tool (FAST®) was used, which is also used by the US Department of Defense, the 
US Department of Transportation and the Federal Aviation Administration (FAA). 
FAST® was specially developed for the aviation industry and allows continuous 
fatigue risk monitoring, even when high volumes of data are involved. The tool 
produced a precise sleeping profile for each of the participating crew members 
(Fig. 11.1). This sleeping profile had been influenced by such factors as activities, 
time zone changes, rest periods and sleep periods in the aircraft, and was also 
documented by the study participants in their personal logbook. 

The effects of sleep quantity and quality on the study participants’ individual 
performance in their daily work was evaluated by means of the Sleep, Activity, 
Fatigue & Task Effectiveness (SAFTE™) model (Fig. 11.2). To achieve this, 
besides fundamental factors such as circadian rhythm, sleep history and time 
spent awake, SAFTE used a host of other data delivered by the actigraph 
(ReadiBand) (Fig. 11.3). This data was then compared with the personal logbooks 
and conclusions were drawn relating to increased sleep need and sleep debt, as well 
as successfully and unsuccessfully applied mitigation strategies. 

After collecting and evaluating the data, the next step was to assess the risk. For 
this purpose, the mission risk was portrayed in the form of key risk indicators (KRI), 
by means of matrix evaluation. Here, the overall risk is indicated on a 5 x 5 risk 
matrix, with the likelihood of occurrence shown on the Y-axis and the mission safety 
that is compromised by fatigue on the X axis. The following risk rating applies: 

• Low risk: KRI 1-4 

• Medium risk: KRI 5-11 

• High risk: KRI 12-25 


11.2.3 Results 

The predictions relating to the cognitive effectiveness of the flight crew members 
provided by the FAST method proved to be very reliable. The deviation between 


18 Thome et al. (2005). 
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Fig. 11.1 Example of the FAST program results 


the forecasted and the actual effectiveness amounted to between —4 % and +3 % 
based on 172 block hours. 

In individual situations, flight crew members were found to be suffering from 
higher levels of fatigue than allowed by Rega’s own safety standard. It was 
discovered that without the corresponding training and experience, the crew 
members were not able to optimally apply and evaluate the risk factor of fatigue 
in their work planning. 

After training, the crews showed an increased awareness of fatigue as a risk 
factor. However, the fact that crew members with sleep debt were not able to 
accurately assess their own level of fatigue was also confirmed. 19 

The following individual mitigation strategies were used by the flight crews in 
accordance with their training: 

• Food 

• Planned in-flight rest (bunk/cabin) in accordance with the crew members’ 
circadian rhythms and potentially fatiguing mission phases 

• Changed in-flight rest structure 

• Caffeine 

• Increased use of SOPs 

• Fatigue taken into consideration during briefings 

• Flight crew member (FCM) notified of fatigue 

• Increased use of automation 

• Enhanced use of crew resource management (CRM) 


19 Clockwork Research Ltd. (2011), pp. 178 and 220. 
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Fatigue Causes & Consequences 
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Fig. 11.4 Example of Fatigue causes and consequences. Source : Clockwork Research 

• Controlled rest in the cockpit 20 

• Targeted advance sleeping at the Rega Centre before early-start duties 21 

• Naps in the afternoon before starting a night duty 22 

• Naps during ground patient transfers at airports 

• Use of cockpit iPad 

• Use of ear plugs and sleep masks 

• Use of own sleeping bags and pillows 

Thanks to these comprehensive studies and the clear commitment on the part of 
the management to establish fatigue as an officially recognized safety risk in the 
corporate culture, it was possible to achieve a change in mentality, as well as 
conscious consideration of this factor when drawing up the duty rosters (Fig. 1 1.4). 
At an operational level, the following risk factors were taken into account: 

• Duty hours 

• Cumulative duty 

• Basic maximum flight duty period 

• Night, early and late duties 


20 Rosekind et al. (2009). 

21 Rupp, Wesensten, Bliese, and Balkin (2009). 

22 Rupp et al. (2009). 
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• Duty extensions 

• Duty extensions due to in-flight rest 

• Positioning and travelling 

• Extension of on-ground break 

• Pilot-in-command discretion 

• Airport standby 

• Standby other than airport 

• Basic rest 

• Basic rest-reduced rest 

• Extended and recovery rest 

• Time zone crossing 

To allow for the above-mentioned risks, among other things, the following 
operational mitigation strategies were implemented: 

• Predicting the expected level of fatigue during the mission phases by means of 
FAST and, where necessary, scheduling additional crew members 

• Activating the crew as early as possible 

• Pre-positioning with night stop ideally in the same time zone 

• Planning missions in accordance with circadian principles, in particular avoiding 
starts and landings during the window of circadian low (WOCL) 

In this way, it was possible to significantly reduce the mission risk on 11 ultra- 
long-haul missions. Predicting the fatigue levels played a significant role in this 
respect. Here, the FAST program provides a reliable calculation base, as the studies 
showed: 

These findings indicate that, for this mission, FAST is a reasonably accurate tool for 
predicting mission effectiveness. 23 

Initially, a high risk was registered in three cases, and a medium risk in eight 
cases. In all cases in which initially a high overall risk (Key Risk Indicator 
KRI> 11) existed, this dropped to a substantially reduced medium residual risk 
after applying operational mitigation strategies. Thus, on all the ultra-long-haul 
flights there was only a moderate residual risk. 

In the sphere of helicopter flights, it was found that overall the fatigue factor was 
well managed by Rega thanks to the existing operational framework conditions 
(corporate culture, OM, SOP). It emerged, that night missions in particular are very 
tiring for flight crew members. On the Karolinska Sleepiness Scale (KSS), 24 the 
value for night flights increases by one point per mission flown. Moreover, when 
using night vision goggles (NVG), the impact is doubled. 25 Of additional relevance 
was the length of the mission. The reasons for this are cumulative and acute sleep 
debt, physiologically unfavorable circadian night phases, short phases between 
waking up and taking off in the helicopter, as well as the considerable strain and 


23 Clockwork Research Ltd. (2011), p. 58. 

24 Shahid et al. (2012a). 

25 Clockwork Research Ltd. (2012). 
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Sleep disruptions on base 
■ Always ■ Often Sometimes ■ flare ty ■ Never 


Fig. 11.5 Rega fatigue risk study 

exertion of performing a night mission. In this connection, with primary missions, 
the type of mission (winch operation, search flight, etc.) is not important. Equally, 
no significant differences were found between the fatigue experienced by pilots and 
by HEMS crew members (HCM). 

Nevertheless, the existing mitigation strategies could be implemented even more 
effectively. For example, although the 3-h break specified in the Operations Manual 
(OM) was evaluated as being beneficial, it was not used nearly as much as it could 
have been. The 6-h break, also provided for in the OM (temporary closure of 
helicopter base) with the aim of limiting working at night, was also not always 
correctly implemented by the crews. After closing the base, crew members continued 
to perform technical and administrative tasks, and stopped only to sleep after these 
had been completed. This resulted in an unplanned and avoidable sleep deficit. 

The existing rest and sleeping facilities at the helicopter bases were rated as 
very good. 

The comparative study of the duty time model, 24 h versus 48 h, examined the 
levels of fatigue and performance of the flight crews in the course of 76 periods of 
duty with a total of 226 missions using the 48 h model, and 138 duties with a total of 
366 missions using the 24-h model. No advantages relating to operational safety 
could be identified in connection with the 24-h model, 26 thus reconfirming the 
results of the preceding HEMS main study (Fig. 11.5). 


11.2.4 Conclusions 

Despite the fact that Rega voluntarily permits its flight crews breaks that go far 
beyond the legal requirements, before the Fatigue Risk Management System 


26 


Clockwork Research Ltd. (2013). 
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(FRMS) was introduced states of fatigue that posed a potential safety risk were 
identified. It was only after collating data and analyzing and evaluating the risks 
relating to both fixed-wing and helicopter operations that it was possible to develop 
specific mitigation strategies. Raising awareness among flight crew members relat¬ 
ing to fatigue as an operational risk factor has resulted in it now being managed in a 
professional, scientifically based and responsible manner. 

However, there is no such thing as an error-free mission; every operator will 
repeatedly make mistakes. Whilst errors of a purely technical nature can be 
increasingly reduced by continually making improvements, cases of human error 
are on the rise—not least due to the increasingly complex technology and the 
ensuing increasingly complex: man-machine interface. Added to this is the fact 
that in recent years the legally prescribed Crew Resource Management (CRM) 
training has resulted in creating greater awareness of human error, as well as 
delivering effective identification methods and mitigation strategies. Consequently, 
in absolute terms, more errors caused by human factors are being identified, 
communicated and avoided. Also, in the case of fatigue, the aim is to teach 
employees to recognize the human factors and the resulting error trajectories in 
good time, and to try to avoid them and, subsequently, their consequences. For this 
purpose, Rega has drawn up a Rega Fatigue Guide for use by the employees. 

At an operational level, Rega has now integrated the fatigue factor into the 
overall risk assessment for missions. Here, it is possible to predict the risk of fatigue 
and where necessary make adjustments to avoid it occurring (Sect. 11.3). To this 
end, the FAST prediction provides a reliable basis on which to calculate the lowest 
mission risk relating to various operational scenarios in terms of both time and staff. 

Apart from compromising safety, sleep debt and fatigue also lead to a drop in 
productivity and with it, unnecessarily high costs for the company concerned. 27 


11.2.5 Discussion 

A Fatigue Risk Management System (FRMS) must form an integral part of a 
company’s Safety Management System (SMS). 

In addition to identifying risks, a FRMS assesses risks and introduces effective 
countermeasures at the earliest possible point of the error trajectory. Solely focus¬ 
ing on flight operations would be insufficient, with the result that the fatigue-related 
risk for the operator would be underestimated. Even the best and most rested pilots 
cannot totally counteract technical errors made by fatigued maintenance staff. 
Forgotten lock pins, nuts tightened at a too high or too low torque or even the 
classic error of leaving bolts or tool parts inside critical aircraft components are all 
potential causes of serious malfunctions which are physiologically related due to 
cognitive impairment on the part of overtired maintenance and service staff 
(Fig. 11.7). 
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The identified potential error development trajectories must be continually 
re-evaluated within the framework of dynamic Risk Management and necessary 
modifications made to the mitigation strategies, in order to counteract the develop¬ 
ment of potentially severe errors as early as possible. This principle is not FRMS- 
specific and applies to the framework of quality management in general and safety 
management in particular. It is also not necessary to establish FRMS as a parallel 
structure to SMS. On the contrary, FRMS is optimally applied when fatigue on the 
part of staff flows into the company SMS as an error occurrence source (Fig. 11.6). 
Overall safety largely depends on the frequency and quality of such re-evaluations 
(Fig. 11.8). 

Explicit reference should be made to the considerable risk of a single action bias. 
This is an infinite management process. Anyone for whom this seems rather 
expensive is recommended to calculate the potential financial, reputational and 
legal costs and consequences of a technical incident (e.g. exceeding the rotor mast 
moment of a helicopter, hydraulic failure, FOD in the engine) or even worse, of an 
accident. 

The results of the Rega studies are based on particular operations and are 
therefore company-specific. Simply transferring the detailed results to other 
operators would be inappropriate and potentially dangerous. The results relating 
to one company could lull another company into a feeling of false safety. For this 
reason, Rega refrains from publishing any specific measurement results. 

All flight operators must comply with the appropriate national and supranational 
laws, as well as international legal provisions, such as the Chicago Convention 
(ICAO annexes), EU law, European Rules for Air Operations (Commission Regu¬ 
lation (EU) No. 965/2012), Swiss Code of Obligations (OR), Luftfahrtgesetz (LFG) 
(Swiss aviation law), Arbeitsgesetz (ArG) (Swiss labour law), Luftfahrtverordnung 
(LFV) (Swiss aviation directive), Verordnung fur Betriebsregeln im 
gewerbsmassigen Luftverkehr (VBR I) (ordinance governing the operation of 
aircraft for commercial air transport) and the Verordnung fiber die Verkehrsregeln 
fur Luftfahrzeuge (VVR) (ordinance governing the operating regulations for com¬ 
mercial civil aviation). All the above-mentioned regulations are, concerning indi¬ 
vidual points, relevant to FRMS. Added to this are collective or company 
employment agreements. Companies that apply the principles of good corporate 
governance also take account of circumstances that are not governed by law, but 
that are of benefit to their company and employees. This includes not permitting 
staff suffering from fatigue to drive home themselves or scheduling more rest time 
than prescribed by law. Rega offers its employees rest facilities at all its bases that 
are designed based on the latest sleep research findings. This not only provides 
flight crew members with sleeping accommodation, but also enables high quality 
sleep. At the company headquarters and at all of the helicopter bases, there are 
several apartments that can be used at short notice and free of charge. It also pays 
for travel by public transport, so that fatigued crew members do not have to drive 
themselves home. Furthermore, Rega has introduced so-called “compensation 
time”, in addition to the statutory rest time. Compensation time, approximately the 
same length as the official rest time, aims to ensure that flight crews are well rested 
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Fig. 11.6 FRMS is an 
integrative component of a 
SMS. Implementation guide 
for operators. Source : 
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when they commence their period of duty. As all studies show, great emphasize 
should be put on ensuring that staff have sufficient sleep before commencing a period 
of duty as existing sleep debts can no longer be compensated during the mission, and 
therefore represent a correspondingly increased risk. 


































11 Importance of Fatigue Risk Management 


129 


11.3 Countermeasures Against Fatigue 
11.3.1 Regulatory Recommendations 

In the past, legislators have taken a regulatory approach to fatigue prevention by 
regulating the duration of work and non-work periods. In the sphere of aviation, this 
is known in many countries as “flight time limitations and rest requirements”. 
However, it is not always clear which legislation actually applies. 

For example, if a Swiss pilot-in-command with a FOCA license flies together 
with an Austrian co-pilot with a EASA license in an aircraft registered in the USA 
on behalf of an Egyptian aviation company over Russian territory, the question 
arises as to exactly which regulations apply. In Appendix 2 to ICAO Annex 6, the 
ICAO defines the organization and contents of the Operations Manual (OM) and 
under Para. 2.1.2, part (a) explicitly requires flight and rest times to be specified 
within the framework of Fatigue Risk Management. In Europe, the framework 
conditions that are prescribed by law are specific to the operator and are defined by 
the operator in accordance with Appendix 1 to EU-OPS 1.1045, Para. A.6.1 part, j, 
in the General/Basic section of the Operations Manual (OM-A). The competent 
supervisory authority is responsible for approving the OM to ensure compliance 
with the applicable laws and regulations. The AOC is decisive for the flight and rest 
times. In the above-mentioned hypothetical case, this was issued by Egypt. As far as 
the approval of the OM is concerned, Egypt lies outside the EASA’s jurisdiction. 
However, as Egypt has signed the Montreal Convention, and thus recognizes the 
ICAO, it is bound by the international ICAO guidelines. Nevertheless, these only 
regulate the organization of the OM, but not the length of the flight and rest times 
themselves. In the above example, the organization of the OM could, and most 
probably would, comply with the statutory standards. However, hypothetically, it is 
possible that a flight time of 18 h without a break could be approved by the Egyptian 
authorities. Thus a flight time for both pilots of 15 h without a break would be 
formally legalized, despite the fact that this would be imprudent due to the risk of 
fatigue. 


11.3.1.1 Hard Rule 

Generally speaking, legislators and authorities have a high interest in promoting 
safety. However, they are equally interested in their regulations being monitored in 
a simple and straightforward way. Until now, legislators have addressed the risk of 
fatigue simply by applying blanket regulations relating to maximum working times 
and minimum number of resting times and breaks, despite the fact that in 
Switzerland alone, working time regulations in the sphere of aviation is a very 
complex topic. 28 Such limits were primarily intended to protect the employee. 
Legislators are faced with the challenge of satisfying the needs of all operators as 
well as all situations, both predictable and unpredictable. This “one size fits all” 
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philosophy only functions when minimum safety standards, including all possible 
deviations, can be precisely defined or, in the absence of potential concrete identi¬ 
fication of risks for all the companies, when the safety buffer is large enough. In 
many technical areas, this kind of so-called “hard rule” can be adopted and applied 
in an efficient manner (cf. EASA Certification Specifications, European Standards). 

However, it is difficult to understand why a model that is successful and efficient 
for technical matters should be used to respond to the potential risk-related 
consequences of multifarious human behavior. It must be possible to implement 
laws and directives in such a meaningful and safe way that they neither compromise 
safety nor place a burden on the market through overregulation or even bureau¬ 
cracy. This calls to mind the former Commission Regulation (EEC) Nr. 1677/88 - 
the so-called “Cucumber Regulation”—where the EU regulators in Brussels even 
specified the curvature of a cucumber as a quality standard. This standard has now 
been rescinded as the legislators recognized, in this particular case, management by 
direction and control was not expedient (Fig. 11.9). 

11.3.1.2 Soft Rule 

The counterpart of the rigid flight and rest time regulation (hard rule) is a result- 
oriented risk management process. This allows fatigue-related risks to be regularly 
identified and assessed. It also enables operational processes to be actively adapted 
and mitigation strategies to be drawn up by all flight operators that are required to 
implement them. Here the legislator determines the safety goals, which must then 
be achieved by the operators through their in-house risk management process. 

The acceptable level of safety expresses the safety goals of an oversight authority, an 
operator, or a services provider. From the perspective of the relationship between oversight 
authorities and operators/services providers, it provides the minimum safety objective 
(s) acceptable to the oversight authority to be achieved by the operators/services providers 
while conducting their core business functions. 29 

A result-oriented process with a safety objective, including a goal for the level of 
safety, also promotes readiness for technical innovation. Innovations make it possi¬ 
ble to achieve or even exceed an existing safety level more easily and cheaply in the 
future. For decades, the speed limit for trucks has been 80 km/h. This hard rule is 
based on the braking performance of a truck fitted with old-style drum brakes and 
without ABS, as was the norm several decades ago. When it was introduced, this 
maximum speed was without doubt appropriate, as it prevented the braking distance 
of the truck, including in adverse driving conditions, from being exceeded and thus 
protected other road users. In the meantime, however, most trucks are equipped with 
modern disc brakes and ABS. Their braking capacity is significantly better than the 
originally prescribed distance. However, this development has taken a very long 
time, because there has been very little incentive for the manufacturers to improve 
the system. Theoretically, it would be more sensible to define the maximum stopping 
distance, as well as other safety and environmental criteria. If the required safety 


29 International Civil Aviation Organization (ICAO) (2009). 
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Fig. 11.9 Concept of so-called hard rules. Source : Own illustration 


level is complied with, it could lead to a model-related maximum speed of 90 or 
100 km/h. 

In the sphere of aviation, a result-oriented process would result in hitherto 
unidentified risks being actively reduced by means of legal regulations with an 
acceptable safety level and active, comprehensive Risk Management by the opera¬ 
tor. The active Fatigue Risk Management process would also identify potential 
risks that are not immediately associated with fatigue. This would achieve a 
positive collateral effect. Thus the claim, “Safety is worthwhile” is true on two 
counts. Furthermore, by means of innovation management, the corporate culture 
could be decisively improved regarding safety. 

Consequently, it is difficult to understand why, for example, a pan-European 
hard rule specifies a maximum duty time of 12 h. At some helicopter bases, 12 h is 
already too long because by this time, the crew members have long been showing 
significant cognitive impairment due to fatigue, resulting from, for instance, the 
number and length of the missions performed at unfavorable circadian times. On 
the other hand, other helicopter bases might not have carried out any missions at all, 
with the result that the crew members are by no means suffering from fatigue. In 
remote regions, it can happen that only four or five missions are flown within a 
period of 96 h. In normal circumstances that would be equivalent to around one 
mission per day. With such a low frequency, the flight crew members are unlikely to 
suffer from fatigue due to an uninterrupted period of duty, and a prescribed safety 
level can be complied with. In fact, a frequent change of flight staff would result in a 
loss of mission experience which would instead have a negative impact on flight 
safety. In addition, the crew members would be exposed to greater risk on the 
roads—which is also completely unnecessary, as such a rigid measure would not 
increase flight safety anyway (Fig. 11.10). 

Legislators should encourage companies to assess the risk of fatigue actively and 
at their own initiative. However, this will only happen when operators are given an 
incentive to continually optimize their processes while at the same time 
maintaining or improving safety. 
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Fig. 11.10 Concept of soft rules. Source : Own illustration 


11.3.2 Organizational Recommendations 

It is quite clear that some companies need to change their way of thinking and to 
realize that simply completing checklists and complying with legal provisions do 
not guarantee safe flight operations. Even if the laws are complied with, serious 
accidents involving fatalities are still also possible, as unfortunate cases all over the 
world continually demonstrate. In the end, independent of laws, ordinances and 
standards, it must be in the interests of each and every flight operator to perform its 
services with the highest possible level of safety, and to successfully and proac¬ 
tively reduce the high potential risk posed by fatigue. Naturally, this applies to all 
other risks, too. 

This responsibility—vis-a-vis passengers, crew members and maintenance 
staff—must be actively assumed. The supposed “passing on” or “delegation” of 
this fundamental responsibility to a third party, including the legislator 
(Sect. 11.3.1), is not in line with good corporate governance. A clear, on-going 
commitment by the company management to introducing a proactive, company¬ 
wide safety culture is absolutely essential. Even the best strategy can be rendered 
ineffective by a misguided corporate culture that neglects safety. This falls in line 
with the management maxim, “Culture eats strategy for breakfast” (Peter Drucker). 

A non-punitive corporate culture is necessary if companies want their employees 
to deal with their own mistakes openly and honestly, and to discuss them internally 
in order to prevent the same mistakes being made again by other crews. People 
make mistakes, and instead of sparking off a destructive tirade of “name-blame- 
shame-claim”, accidents and, even more, incidents can be regarded as valuable, 
constructive elements for a learning and increasingly intelligent organization. 

Fatigue can be triggered by a host of factors over which employees do not 
always have an influence, such as lack of sleep through night noise. It is of key 
importance that staff develop an awareness of the risks associated with fatigue, and 
are correspondingly prepared to address and manage the problem proactively for 
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the good of both themselves and their work colleagues. 30 For this purpose, 
operators should publish possible countermeasures in the form of a guide (e.g. 
Rega Fatigue Guide). 

This also includes the fact that flight crew members should, at any time, be able 
to report in as “unfit to fly” before commencing a period of duty, without being 
subjected to reproach, criticism or “interrogation”. It also comprises employees 
notifying each other of impairments, such as those due to fatigue in a constructive 
manner, in order to avoid safety risks and to seek suitable resolutions in good time. 
Naturally, it should not be possible for this kind of system to be misused, such as by 
giving overall, systematic, non-punitive absolution for willfully or grossly negli¬ 
gent violations. Investigations carried out by the European Helicopter Safety Team 
(EHEST) show that only 16 % of all unsafe acts concerned violations or willful 
disregard of rules and regulations. The vast majority (84 %) were the result of 
human error. Of these errors, 72 % were attributable to fatigue (judgment and 
decision-making errors 60 %; perceptual errors 12 %). 31 The remaining errors were 
skill-based (28 %), which could only partly be attributed to fatigue because the skill 
impairment was already evident beforehand. Instead, in the case of qualification 
errors, fatigue has a detrimental effect on the compensation mechanisms 
(Fig. 11.11). 

The European Helicopter Safety Team (EHEST) also discovered that regarding 
the causes of unsafe acts, the current condition of the individual (60 %) coupled 
with environmental factors (17 %) made up a large proportion of the factors that 
were influenced by fatigue (77 %). In addition, general personnel factors (23 %) 
played an important role (Fig. 11.12). 

Circadian aspects should be taken into consideration already at the mission 
planning stage and, for example with elective missions, be avoided from the very 
outset by wisely choosing the best time to begin the period of duty (early or late). 
Poor mission planning is the greatest supervisory problem, rating even higher than 
faulty supervision, 32 which is why this topic is examined in more detail under 
Sect. 11.3.3. 

Even the best safety culture needs explicit programs. In the field of aviation, the 
Safety Management System (SMS) is the core program for company-wide safety. 
This should integrate the Fatigue Risk Management System (FRMS) as an essential 
process relating to fatigue-related risks. With the FRMS, just as with the SMS, a 
holistic approach is desirable, and maintenance and service should also be taken 
into account alongside flight operations (Sect. 11.2.5). 

At the end of a shift, operators can offer flight staff members suffering from 
fatigue various options for returning home safely. 33 This could be, for example, the 


30 Caldwell (2005). 

31 EHEST (2008). 

32 EHEST (2008). 

33 Scott etal. (2007). 
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Fig. 11.11 Causes of unsafe acts (EHEST, 2008). Source : Own illustration 



Fig. 11.12 Preconditions for unsafe acts (EHEST, 2008). Source : Own illustration 

possibility of having a sleep before going home, or of the company paying for travel 
by public transport. 

In the long-term, companies can also profit from more alert staff by providing 
health-promoting facilities and activities for its staff, such as ergonomically 
designed workplaces, healthy food, subsidized fitness club memberships, company 
sports teams and general health education. 


11.3.3 Supervisory Recommendations 

When implementing a company-wide safety culture and the related programs, 
managers or supervisors form an integrative link between the senior management 
and the employees. Corporate culture is the sum of the behavior, habits, shared 
history and anticipated future within a company. Supervisors are correspondingly 
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important, as they act as role models who uphold the corporate culture in the 
various spheres on a day-to-day basis. It is essential that they are aware of the 
key role they play, and that they carry it out voluntarily and unconditionally. 
Otherwise, they fail to come across as authentic and are thus more likely to damage 
a healthy safety culture than enhance it. 

Supervisors should also integrate the fatigue factor into their daily mission 
discussions, in order to regularly address the problems involved. They know 
“their” staff and can ensure that the possibilities offered by the company are used 
in order to avoid fatigue. Changes may need to be made to the duty roster to prevent 
acute or cumulative sleep debt or other fatigue-promoting factors. For this purpose, 
superiors are continually informed about new findings gained from the Fatigue Risk 
Management process and also involved in further developing company-wide anti¬ 
fatigue programs, for which they can draw on their everyday experience. 


11.3.4 Individual Recommendations 

In the error trajectory, the last “line of defense” lies primarily with the active 
operative staff, such as the pilots, HEMS crew members (HCM), emergency 
doctors, paramedics, flight nurses, mechanics and avionics engineers. Signs and 
symptoms of fatigue include: 

• Lapses in attention and vigilance 

• Slowed reaction time 

• Poor decision-making 

• Decreased psychomotor coordination 

• Frequent yawning 

• Restlessness 

• Moodiness 

• Inadequate or lack of response when addressed 

• Frequent blinking and/or lengthy phases of eyelids being closed 

• Unintentional and uncontrolled micro sleeps 

Staff should have a high sense of responsibility in relation to fatigue-related 
risks, and should only go about their daily work if their actions will not be impaired 
by fatigue at any time during their duty period or if the risk lies within the 
prescribed, acceptable scope. In this respect, possible intervention activities 
aimed at mitigating fatigue may also be taken into account (Sect. 11.2.3). The 
following measures could be considered (Fig. 11.13). 

Within the aviation industry, flight staff members are strongly dissuaded from 
using sleep-inducing substances to increase sleep quality and quantity. Such drugs 
and medicines cannot be dosed precisely enough and it could occur that a relatively 
high level of the substance is still present in the body at the planned start of the duty 
period. Moreover, the targeted intake of drugs to increase alertness or lengthen the 
period of wakefulness is advised against. Quite apart from the effectiveness and 
the physical side effects for employees, a more rapid degradation of the active 
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Short-Term Measures 


• Informing each other when signs or feelings of tiredness arise 

• Reduction of environmental disturbances, such as by wearing ear 
plugs or a sleep mask during rest periods in the aircraft or hotel 

• Taking targeted and planned naps of approx. 30-45 minutes 

• Exposure to Light 

• Increased use of automation in the cockpit 

• Adaption of the rest times during a mission to the individual 
needs of the team members 

• Social interaction 

• Caffeine 


Medium-Term Measures 


• Sound and sufficient sleep 


Long-Term Measures 


• Healthy eating 

• Good physicial fitness 


Fig. 11 .13 Individual compensation measures 

substance could lead to premature acute fatigue and thus render the individual 
concerned unfit for duty. 34 

Furthermore, employees involved in support processes, such as mission 
coordinators, dispatch staff or logisticians, should not only observe and assess 
their own level of fatigue, but also pay attention to signs of fatigue on the part of 
crew members and, where necessary, offer them the appropriate constructive 
feedback or suggest an alternative course of action. 
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Besides all the national and international regulations and proactive safety measures, 
also the findings of the accident investigation authority are of central importance in 
the combined effort to make aviation safer. 

The accident investigation authority (Schweizerische Unfalluntersu- 
chungsstelle—SUST) examines aircraft accidents and issues recommendations to 
the Board of FOCA which later proposes measures to increase safety in aviation. 


12.1 Case Airbus A300-203, Flight AF 447 

The following aircraft accident case has been partially extracted from the final 
investigation report of the Air France A330-203 flight AF 447 from Rio de Janeiro 
to Paris in 2009. The aircraft was destroyed upon crashing in the Atlantic Ocean, 
killing all 216 passengers and 12 crew members. This case serves as an example to 
illustrate a general safety relevant trend. Pilots continuously fail to apply their most 
expedient knowledge and skills for manual flight operations by following standard 
operation procedures. It should be clearly understood that in this accident case 
details of the investigation are discussed as examples only and in a simplified 
manner to fit the scope of this section. 

“On 31 May 2009, the Airbus A330 flight AF 447 took off from Rio de Janeiro 
Galeao airport bound for Paris Charles de Gaulle. The airplane was in contact with 
the Brazilian ATLANTICO control centre on the INTOL-SALPU-ORARO- 
TASIL route at FL350. At around 2 h 02, the Captain left the cockpit. At around 
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Fig. 12.1 Flight routing from departure to accident. Source : Bureau d’Enquetes et d’Analyses 
pour la securite de V aviation civile (BEA) (2012) 

2 h 08, the crew made a course change of 12° to the left, probably to avoid returns 
detected by the weather radar (Fig. 12. 1). 1 

At 2 h 10 min 05, the autopilot and then the auto-thrust disconnected and the PF 
said “I have the controls”. The airplane began to roll to the right and the PF made a 
nose-up and left input. The stall warning triggered briefly twice in a row. The 
recorded parameters showed a sharp fall from about 275 to 60 kt in the speed 
displayed on the left primary flight display (PFD), then a few moments later in the 
speed displayed on the integrated standby instrument system (ISIS). The flight 
control law reconfigured from normal to alternate. The Flight Directors 
(FD) were not disconnected by the crew, but the crossbars disappeared. 

At 2 h 10 min 16, the PNF said “we’ve lost the speeds” then “alternate law 
protections”. The PF made rapid and high amplitude roll control inputs, more or 
less from stop to stop. He also made a nose-up input that increased the airplane’s 
pitch attitude up to 11° in 10 s. 

Between 2 h 10 min 18 and 2 h 10 min 25, the PNF read out the EC AM messages 
in a disorganized manner. He mentioned the loss of auto-thrust and the reconfigu¬ 
ration to alternate law. The thrust lock function was de-activated. The PNF called 
out and turned on the wing anti-icing. The PNF said that the airplane was climbing 
and asked the PF several times to descend. The latter then made several nose-down 


1 Schneider (2012). 
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inputs that resulted in a reduction in the pitch attitude and the vertical speed. The 
airplane was then at about 37,000 ft and continued to climb. 

At about 2 h 10 min 36, the speed displayed on the left side became valid again 
and was then 223 kt; the ISIS speed was still erroneous. The airplane had lost about 
50 kt since the autopilot disconnection and the beginning of the climb. The speed 
displayed on the left side was incorrect for 29 s. 

At 2 h 10 min 47, the thrust controls were pulled back slightly to 2/3 of the IDLE/ 
CLB notch (85 % of Nl). Two seconds later, the pitch attitude came back to a little 
above 6°, the roll was controlled and the angle of attack was slightly less than 5°. 
From 2 h 10 min 50, the PNF called the Captain several times. 

At 2 h 10 min 51, the stall warning triggered again, in a continuous manner. The 
thrust levers were positioned in the TO/GA detent and the PF made nose-up inputs. 
The recorded angle of attack, of around 6° at the triggering of the stall warning, 
continued to increase. The trimmable horizontal stabilizer (THS) began a nose-up 
movement and moved from 3 to 13° pitch-up in about 1 min and remained in the 
latter position until the end of the flight. Around 15 s later, with the ADR3 being 
selected on the right side PFD, the speed on the PF side became valid again at the 
same time as that displayed on the ISIS. It was then at 185 kt and the three displayed 
airspeeds were consistent. The PF continued to make nose-up inputs. The airplane’s 
altitude reached its maximum of about 38,000 ft; its pitch attitude and angle of 
attack were 16°. 

At 2 h 11 min 37, the PNF said “controls to the left”, took over priority without 
any callout and continued to handle the airplane. The PF almost immediately took 
back priority without any callout and continued piloting. 

At around 2 h 11 min 42, the Captain re-entered the cockpit. During the 
following seconds, all of the recorded speeds became invalid and the stall warning 
stopped, after having sounded continuously for 54 s. The altitude was then about 
35,000 ft, the angle of attack exceeded 40° and the vertical speed was about 
— 10,000 ft/min. The airplane’s pitch attitude did not exceed 15° and the engines’ 
Nl’s were close to 100 %. The airplane was subject to roll oscillations to the right 
that sometimes reached 40°. The PF made an input on the side-stick to the left stop 
and nose-up, which lasted about 30 s. 

At 2 h 12 min 02, the PF said, “I have no more displays”, and the PNF “we have 
no valid indications”. At that moment, the thrust levers were in the IDLE detent and 
the engines’ Nl’s were at 55 %. Around 15 s later, the PF made pitch-down inputs. 
In the following moments, the angle of attack decreased, the speeds became valid 
again and the stall warning triggered again. 

At 2 h 13 min 32, the PF said, “[we’re going to arrive] at level one hundred”. 
About 15 s later, simultaneous inputs by both pilots on the side-sticks were recorded 
and the PF said, “Go ahead you have the controls”. 

The angle of attack, when it was valid, always remained above 35°. 

From 2 h 14 min 17, the Ground Proximity Warning System (GPWS) “sink rate” 
and then “pull up” warnings sounded. 
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Fig. 12.2 Airplane attitude 
in the final seconds of flight. 
Source : Bureau d’Enquetes et 
d’Analyses pour la securite de 
E aviation civile (BEA) 

( 2012 ) 



The recordings stopped at 2 h 14 min 28. The last recorded values were a vertical 
speed of — 10,912 ft/min, a ground speed of 107 kt, pitch attitude of 16.2° nose-up, 
roll angle of 5.3° left and a magnetic heading of 270° (Fig. 12.2). 

No emergency message was transmitted by the crew. The wreckage was found at 
a depth of 3,900 m on 2 April 2011 at about 6.5 NM on the radial 019 from the last 
position transmitted by the airplane. 2 

• The examinations of the wreckage undertaken showed that there was no depres¬ 
surization and that on impact: 

- The airplane was intact; 

- The airplane struck the surface of the water with a pitch-up attitude, a slight 
bank and a high vertical speed; 

- The flaps were retracted; 

- The engines were at high RPM ; 

- The stabilizer was near to its maximum pitch-up position. 

• This information was confirmed by the analysis of the data from the flight 
recorders. 

• The blockage of the Pitot probes by ice crystals in cruise was a phenomenon that 
was known, but misunderstood, by the aviation community at the time of the 
accident. From an operational perspective, the resulting loss of all airspeed 
information was an identified malfunction. After initial reactions involving 
basic airmanship skills, this blockage should have been diagnosed by the pilots 
and managed, if necessary, by precautionary inputs on the pitch attitude and 
thrust as detailed in the associated procedure. 

• The occurrence of the failure in the context of flight in cruise completely 
surprised the crew of flight AF 447. The apparent difficulties of handling the 
airplane in turbulence at high altitude resulted in over-handling in roll and a 
sharp nose-up input by the PF. The destabilization that resulted from the 
climbing flight path and changes in pitch attitude and vertical speed therefore 
added to the incorrect airspeed indications and ECAM messages that did not help 
any diagnosis. The crew, whose work was becoming disrupted, probably never 
realized they were facing a “simple” loss of all three airspeed sources. 

• In the first minute after the autopilot disconnection, the failure of the attempt to 
understand the situation and the disruption of crew cooperation had a 
multiplying effect, inducing total loss of cognitive control of the situation. The 
behavioral assumptions underlying the classification of a loss of airspeed 


2 Schneider (2012). 
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information as “major” were not validated in the context of this accident. 
Confirmation of this classification therefore requires additional work in terms 
of operational feedback in order to modify, where necessary, crew training and 
the ergonomics of the information made available to them, as well as the design 
of procedures. 

• The airplane went into a sustained stall, signaled by the stall warning and strong 
buffet. Despite these persistent symptoms, the crew never understood they were 
in a stall situation and therefore never undertook any recovery maneuvers. The 
combination of the warning system ergonomics, and the conditions under which 
pilots are trained and exposed to stalls during their professional and recurrent 
training, did not result in a reasonably reliable, expected behavior patterns. 

• At present, recognition of the stall warning, even when associated with buffet, 
assumes that the crew assigns a minimum degree of “legitimacy” to the alarm. 
This in turn assumes sufficient prior experience with stall conditions, at least 
some cognitive availability and understanding of the situation, as well as knowl¬ 
edge of the airplane (and its protection modes) and its flight physics. A review of 
pilot training did not provide convincing evidence that the associated skills had 
been correctly developed and maintained. 

• More generally, the dual failure of the expected procedural responses shows the 
limits of the current safety model. When action by the crew is expected, it is 
always assumed that they will have the capacity to initially control the flight path 
and to rapidly diagnose and identify the correct entry in the dictionary of 
procedures. A crew may encounter an unexpected situation causing a momen¬ 
tary but profound loss of understanding. If, in such cases, the assumed capacity 
to initially control and then to diagnose is lost, the safety model is in “common 
failure mode”. In this occurrence, the inability to initially control the flight path 
also made it impossible to understand the situation and find the appropriate 
solution. 

• The accident resulted from the following succession of events: 

- Temporary inconsistency between the measured airspeeds, likely following 
the obstruction of the Pitot probes by ice crystals that led in particular to 
autopilot disconnection and a reconfiguration to alternate law, 

- Inappropriate control inputs that destabilized the flight path, 

- The crew not making the connection between the loss of indicated airspeeds 
and the appropriate procedure, 

- The PNF’s late identification of the deviation in the flight path and insuffi¬ 
cient correction by the PF, 

- The crew not identifying the approach to stall, the lack of an immediate 
reaction on its part and exit from the flight envelope, 

- The crew’s failure to diagnose the stall situation and, consequently, the lack 
of any actions that would have made recovery possible (Figs. 12. 3/12.4). ” 3,4 


3 Schneider (2012). 

4 Bureau d’Enquetes et d’Analyses pour la securite de l’aviation civile (BEA) (2012). 
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Fig. 12.3 Airbus FCOM supplied to Air France. Source : Bureau d’Enquetes et d’Analyses pour 
la securite de V aviation civile (BEA) (2012) 


It must be noted that the pilots were not the sole factor behind the crash, but also 
various factors which already start at the stage of the pilot training play a part. As 
already mentioned, there was no convincing evidence that the required stall recov¬ 
ery skills had been correctly developed; nor had they been maintained through 
constant training on the type of aircraft by the flight crew. Each flight crew member 
trained stall recovery on the A320 model, but had no specialized stall recovery 
procedural training on the A330. Additional A330 and A340 type ratings deal only 
with the differences in relation to the type ratings already issued on other types 
(A320, A330, and A340). 

The accident investigation report shows that the pilots reacted according to the 
standard operational procedures. Neither false system indications nor a stall should 
lead to an accident; however, pull and full throttle during a stall will lead to an 
accident. 

It must be understood that accident prevention starts with the pilot training and 
should include Stall & Spin awareness and basic aerobatic maneuvers. In an 
emergency, the systems provide only limited support to the pilot, and simulator 
training is not sufficient for a basic understanding of flying. Swiss Aviation 
Training leads by example and uses an Extra 300 for stall, spin and recovery 
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Fig. 12.4 TU (Technique Utilisation—Technical Standards) Air France. Source : Bureau 
d’Enquetes et d’Analyses pour la securite de 1’aviation civile (BEA) (2012) 


training during their MPL training. The integration of stall, spin and recovery 
training concepts, and carefully selected aerobatic maneuvers during flight training, 
which provide upset recovery procedures, are critical to the development of a 
properly aware and self-confident pilot. 

At the beginning of April 2013, the Federal Aviation Administration issued a 
Safety Alert where it encouraged operators to take an integrated approach by 
incorporating emphasis on manual flight operations into both line operations and 
training (initial/upgrade and recurrent). Where applicable, the operators should 
develop operational policies or review them to ensure there are appropriate 
opportunities for pilots to exercise manual flying skills, such as in non-RVSM 
airspace and during low workload conditions. 
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Furthermore, the FAA recommends developing or reviewing company policies 
to ensure that pilots understand when to use the automated systems, such as during 
high workload conditions or airspace procedures that require use of autopilot for 
precise operations. Augmented crew operations may also limit the ability of some 
pilots to obtain practice in manual flight operations. Finally, airline operational 
policies should ensure that all pilots have the appropriate opportunities to exercise 
the aforementioned knowledge and skills during inflight operations. 5 


12.2 Case Avro 146-RJ100 Flight CRX3597 6 

This second accident case has been extracted partially from the final investigation 
report of the Crossair Avro 146-RJ100 flight CRX3597 in 2001 from Berlin-Tegel 
to Zurich. 

The aircraft was destroyed during the impact, killing all 21 passengers and 
3 crew members. This case serves as an example to illustrate how fatigue can 
contribute as a factor to an aircraft accident. Also here, it should be clearly 
understood that in this accident case, details of the investigation are discussed as 
examples only and in a simplified manner to fit the scope of this section. 

On November, 24th, 2001, at 20:01 UTC (21:01 lcl) the airplane AVRO 146-RJ 
100, registered HB-IXM, took off from Berlin-Tegel airport as CROSSAIR CRX 
3597 bound for Zurich/CH. 

At 20:58:50, after an undisturbed flight, CRX 3597 was cleared for a VOR-DME 
approach into rwy 28 at ZRH. Preceding traffic CRX 3891 (Embraer EMB 145) 
landed on rwy 28 and reported to the control tower that the weather conditions 
found on approach and landing were quite close to the minimum required. 

At 21:05:21, CRX 3597 reported on the tower frequency. At 21:06:10, when the 
flight reached the minimum descent altitude for this approach, the commander 
stated “some ground visibility” to the first officer and continued the descent towards 
the runway. 

At 21:06:36 UTC the aircraft collided with treetops and subsequently crashed 
into the ground. The aircraft caught fire on impact. Twenty-one passengers and 
three crew members died from their injuries at the site of the accident; seven 
passengers and two crew members survived the accident. 


12.2.1 Main Reason for the Crash 

The accident was caused by the flight crew’s descent below the published minimum 
descent altitude for the VOR-DME 28/ZRH approach even though the requirements 


5 Federal Aviation Administration (FAA) (2013). 

6 Aircraft Accident Investigation Bureau (SUST) (2006). 
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for such a course of action had not been fulfilled. A go-around maneuver was 
initiated too late. 

The commander continued below the MDA without having established visual 
contact with the landing runway or runway lighting. The first officer did not make 
any effort to prevent such an action by the commander. 


12.2.2 Contributing Factors 

The following contributing factors (among others) were identified: 

• Lack of crew performance records 

• Lack of crew duty and rest-time records and responsibilities 

• Selection of landing runway by established procedures 

• Unavailability of MSAW for rwy 28 

• Unsuitable recording and publishing of meteorological data 

• Lack of air traffic control personnel 

• Unsuitability of designed approach procedure 

• Unsuitability of depiction of obstacles in approach charts 

• Flying and corporate culture in the company 

The accident is attributable to the fact that on the final approach, in own 
navigation, of the standard VOR/DME approach 28, the aircraft flew in a controlled 
manner into a wooded range of hills (controlled flight into terrain—CFIT). This was 
caused by the fact that the flight crew deliberately continued the descent under 
instrument flight conditions below the minimum altitude for the approach, without 
having the necessary prerequisites. The flight crew initiated the go around too late. 

The investigation has determined the following causal factors in relation to the 
accident: 

The commander deliberately descended below the minimum descent altitude 
(MDA) of the standard VOR/DME approach 28 without having the required 
visual contact to the approach lights or the runway. 

The copilot made no attempt to prevent the continuation of the flight below the 
minimum descent altitude. 


12.2.3 The Following Factors Contributed to the Accident 

• In the approach sector of runway 28 at Zurich airport there was no system 
available which triggers an alarm if a minimum safe altitude is violated (mini¬ 
mum safe altitude warning—MSAW). 

• Over a long period of time, the responsible persons of the airline had not made 
correct assessments of the commander’s flying performance. Where weaknesses 
were perceptible, they did not take appropriate measures. 

The final report of the accident investigation shows that the commander had clearly 

exceeded the maximum allowable operating times in the 2 days before the accident. 

Through his work as a part-time flight instructor before the scheduled service time, 
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he was more than 13.5 h on duty at the time of the accident. A prolonged break from 
work, for relaxation or sleep, was missing. The commander was thus clearly 
exhausted, leading to impaired concentration and decision-making skills. He was, 
as well, error-prone. The SUST concluded from the events that the observed fatigue 
met the criteria for an impairment of fitness to fly and classified fatigue as a factor 
behind the accident. The SUST turned to the FOCA with a recommendation to 
check how to control flight duties and rest times. 7 
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Part IV 


Implementation and Optimization of Risk 

and Safety Management 



General Remarks and Overview 

Roland Muller and Christopher Drax 



A general problem within the SMS literature is that the majority of the implemen¬ 
tation structures and recommendations are tailored to large enterprises. If you 
follow these plans, it might take months until you come to the point where you 
can start identifying your first risks. Our philosophy is to immediately start with the 
collection of risks in order to gain an overview of the main issues the organization is 
facing, and to work on mitigating them as soon as possible. We therefore com¬ 
pressed the following implementation structure down to the essentials, to quickly 
move to the risk collection. The following SMS implementation process is divided 
into four different phases, in order to split up the workload and to provide a 
convenient structure to follow when implementing the Safety Management System. 
The time horizon of four years will also allow leeway to adjust the culture within a 
company and to create a positive safety culture. The following section will give an 
overview of the different phases with their corresponding implementation subjects, 
as well as providing tools as practical examples and guidance for the implementa¬ 
tion. Each topic will be addressed in this chapter with a brief explanation including 
the required deliverables. 
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In a competitive environment organizations have to constantly adapt and change in 
order to preserve and to increase financial returns. The dynamics of adaption and 
change include risks which can create internal resistance to change. For that reason, 
creating and sustaining substantive strategic changes can only be achieved by those 
organizations that foster a risk seeking culture with the willingness to change the 
future position of the organization. 

A successful strategy is always connected to the right planning and effective 
implementation. For that reason, the implementation requires simple, consistent, 
long-term goals, a profound understanding of the competitive environment and an 
objective appraisal of the required resources. 1 2 According to Dong, Neufeld, and 
Higgins (2009), organizations are challenged by the implementation of large scale 
information system (IS) projects—only 35 % of companies in the United States 
completed their IS implementation on time. In 2003, KPMG conducted a survey 
among 230 of the largest global companies discovering 57 % had written off at least 
one IT project in the previous 12 months, and of those experiencing an implemen¬ 
tation failure only 41 % were able to calculate how much costs were incurred for 
their company. 3 

Top management support during new management system implementations is 
crucial, as we expect top management to influence and shape the behaviors of others 
in the organization. The appropriate provision of resources is necessary for a 


1 Fiegenbaum and Thomas (2004). 

2 Grant (2010). 

3 Dong, Neufeld, and Higgins (2009), p. 55. 
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management system implementation, but appears not to have a positive influence 
on user satisfaction. Top management actions should not be static—it is important 
that the management can adjust behavior throughout an implementation process. 4 
The study of Dong, Neufeld, and Higgins (2009) further showed that supportive 
behavior, rather than just expressed support, ultimately determines the implemen¬ 
tation outcomes. This implies that top management need to actively engage with 
supportive actions to ensure that the strategic visions are internalized and appropri¬ 
ately implemented. 5 

In addition, Olsen and Boxenbaum (2009) examined organizational barriers 
which hindered the implementation of a new management system within an orga¬ 
nization. These organizational barriers posed a significant obstacle to the imple¬ 
mentation in general and required a shift in the implementation strategy from a 
decentralized to a more centralized approach. They identified three types of orga¬ 
nizational barriers, namely a cognitive barrier of conflicting mindsets, a process- 
related barrier of radical change of routines, as well as a structural barrier which 
was based on diverse project evaluation criteria. 6 

The first type of organizational barrier can be connected to the dominant mindset 
of key actors in the operational area who are reluctant to change and do not embrace 
new projects. The fundamental problem lies in the contradictory aims concerning 
the relationship between an organization’s financial performance and its commit¬ 
ment to sustainability. 

The second identified organizational barrier was the difficulty to change organi¬ 
zational processes which required a complete reorientation of the existing work 
processes in the operational environment. In principle, obstacles of this kind could 
be overcome by organizational learning and training programs. 

The third barrier relates to different evaluation criteria employed by the strategic 
planning groups and the operations department to assess new market opportunities. 
Olsen and Boxenbaum (2009) found that there is a fundamental difference between 
the Net Present Value (NPV) evaluation method and the business risk evaluation 
method employed by operations. The NPV technique is a common financial metric 
often used by companies when evaluating the value of new market opportunities. In 
contrast, business risk evaluation is similarly used to assess the risks associated with 
new projects. 

Furthermore, McFadden and Hosmane (2001) argued that in the field of 
operations management, improving safety has become a growing area of interest. 
Operations managers in the aviation industry, e.g. Boeing or Honeywell, have 
specified safety as their top operating priorities. Even before all regulatory 
pressures, the total quality movement, technological changes, cost-saving 
objectives and customer expectations of social responsibility, just to mention a 
few, can be named as motivating factors for considering safety as the core priority 


4 Dong et al. (2009), p. 72. 

5 Dong et al. (2009), p. 74. 

6 Olsen and Boxenbaum (2009). 
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for the operating environment. Safety management has become crucial for 
companies, as an aviation accident can be viewed as the ultimate service failure. 
Passengers of airlines expect 100 % accuracy when it comes to safety. 7 8 9 


14.1 Phase: Organization 

In Phase I of the Safety Management System implementation, the basic structure 
should be developed and a compliance document has to be issued which identifies 
the Accountable Executive and the person within the organization who is responsi¬ 
ble for the implementation of the SMS. To show how the SMS requirements will be 
met, a gap analysis has to be conducted which identifies the variations between the 
company’s policy and the authority regulations, and states which components are in 
place and which elements have to be added or modified. This phase mainly focuses 
on basic planning and the assignment of responsibilities, where the core priority is a 
clear roadmap which should serve as a reference. The company’s organizational 
chart should clearly illustrate the roles, responsibilities and safety accountabilities 
which are the basis for effective safety violation handling. Therefore, all levels of 
management and supervisory levels are encouraged to define, communicate and 
document their individual and shared responsibilities for safety performance. 
Senior management is accountable for safety within the company. It must clearly 
ensure that everyone has a responsibility for safety, and should emphasize that it is 
essential to facilitate safety management as an integral strategic aspect of the 
organization’s business. 8,9 

The key deliverables comprise the following: 

• Gap analysis 

• Safety objectives of the organization approved by accountable executive 

• Safety Policy signed by accountable executive 

• Safety Policy distributed across entire organization 

• SMS organizational structure in place 

• Lines of safety accountability established 

• Approval of SMS implementation plan and initial training 

• Emergency response planning implementation process 


14.1.1 Project Planning and Implementation 

During the project planning phase, an implementation project plan has to be 
developed which serves as a basis for a structured approach to the Safety 


7 McFadden and Hosmane (2001). 

8 Safety Regulation Group Civil Aviation Authority (CAA) (2008), p. 5. 

9 ICAO (2008). 
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Management System implementation. It guides the organization through the differ¬ 
ent implementation phases and provides a structure to assess the progress. 

• The start of the SMS implementation should be initiated by appointing the 
person, or establishing the planning group, responsible for the development of 
the SMS implementation project plan. 

• All applicable documents that contribute to the SMS implementation plan 
should be collected. 

• The costs associated for training and planning of the implementation must be 
identified, so that the budget for SMS implementation can be drafted and 
approved. 

• Establishing the allocation of time for the development and deployment of the 
SMS implementation plan among the different management layers of the orga¬ 
nization is the next step. 

• Then the organization must allocate resources for the SMS implementation and 
generate a draft budget. 

• Finally, submitting the SMS implementation plan for endorsement by senior 
management and conducting regular meetings to assess progress are the last 
steps. 


14.1.2 Gap Analysis 

First of all, to start the SMS implementation process, it is essential to perform a gap 
analysis to identify already existing safety management measures within the orga¬ 
nization and those parts that are missing in the organizational context. Based upon 
the results of the gap analysis, the responsible individuals for the implementation 
should be able to develop a SMS implementation plan. At the beginning of the 
planning process, the identification of potential gaps that may hinder the SMS 
implementation phases have to be accounted for, and the development of strategies 
to address such gaps have to be developed in advance. An example of a gap analysis 
can be found in Appendix: SMS Gap Analysis. 

During the gap analysis it is advisable to identify, collect and store the 
SMS-specific records and documentation and to develop guidelines for SMS record 
management. 


14.1.3 Policy and Principles 

A Safety Policy, signed by the accountable executive and which is communicated 
throughout the organization has to be developed. The safety policy is a high level 
statement of desired corporate safety performance. The Safety Policy serves as 
guidance regarding who has a direct or indirect impact on safety performance and 
should provide specific directions to ensure that any safety management activity 
targeted has an impact on the improvement of the safety level within the organiza¬ 
tion. A Safety Policy generally describes high level accountabilities and 



14 Organizational Challenges and Phases of Implementation and Optimization 


157 


responsibilities of the organization and the personnel involved in the operation. It 
prescribes measurable standards, and should be constructed so that short and long¬ 
term safety goals and objectives (or safety performance targets) are accounted for. 
A sample Safety Policy can be found in Appendix: Sample Safety Policy. 

To assure that the Safety Policy and operational safety is followed, it is 
recommended to establish measurable targets which are monitored on a regular 
basis by a safety committee. 

Each aviation organization should conduct their business according to the 
following key safety principles: 

• Safety is considered as the core value of the company 

• Everyone is responsible for the identification, reporting and management of risks 

• Always operate in the safest manner practicable 

• Never take unnecessary risks 

• Recognition that familiarity and prolonged exposure without a mishap leads to a 
loss of appreciation of risk 

• Safe does not mean risk free 


14.1.4 Accountabilities 

In order to have a precise overview of the accountabilities, clear lines of communi¬ 
cation between the Safety Manager, the Accountable Executive, the Safety Action 
Group (SAG) and the Safety Review Board (SRB) have to be established. In 
connection to this, it is mandatory to appoint a Safety Manager as the responsible 
individual and focal point for the development and maintenance of an effective 
SMS. The assessment of functional lines of communication should be commensu¬ 
rate with the size of the organization and complexity of the services provided. 

• Firstly appoint senior managers, including line managers responsible for func¬ 
tional areas, to the SRB. 

• Then, assign the SRB appropriate strategic and tactical functions in order to 
process safety relevant information and lessons learned. 

• Finally, develop a schedule of meetings among the safety service office with the 
SRB and SAG as needed. 

Looking at the key success factors of a safety culture and clear safety 
accountabilities, it becomes obvious that executive management involvement 
leads to a vital basis for Safety Management. Without the commitment and support 
of executive management, a Safety Management System will not work effectively. 
The Accountable Executive must emphasize the company’s dedication to safety, 
enforce safety as one primary responsibility off all managers, and inform all 
personnel about the plan to achieve the highest safety standards. 

No initiative or plan started by staff will have any effect if executive manage¬ 
ment is not fully dedicated to an SMS implementation. Employees need support 
from the executive management, and the supply of all appropriate resources to run 
an SMS efficiently. Types of resources include time for meetings, as well as 
information gathering and planning. Managers must decide on a person who will 
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attend seminars and training courses. Managers must also decide to involve people 
who already have the expertise and can improve the Safety Management System’s 
practicality e.g. consultants. 10 In order to make a full commitment and support 
Safety Management, the executive must have an understanding of Risk Manage¬ 
ment and the corresponding processes. Consequently, executive management must 
ensure that all policies and safety objectives are understood, applied and maintained 
at all levels. * 11 


14.1.5 Safety Requirements and Accountabilities of Subcontractors 

The management of subcontractors is something that has to be thought about when 
implementing Safety Management System processes. The primary purpose of 
safety requirements and accountabilities for subcontractors is to include them in 
your risk management process. Subcontractors provide goods or services and often 
also operate in the same environment, e.g. at an airport. Some incidents or accidents 
can be directly caused by subcontractors, e.g. by a ground handling provider for an 
airline. Therefore, it becomes important to define safety requirements, 
accountabilities and interfaces between your organization and the subcontractors. 
There have to be processes in place which assess the subcontractor’s operations, to 
identify associated hazards and to check the quality of the service they provide. 


14.1.6 Safety Management Manual 

Draft a Safety Management Manual (SMM) to communicate the organization’s 
approach to safety across the whole organization. The SMM is a living document 
and its contents may be expanded, reviewed and amended as the phased approach of 
the SMS evolves. The Safety Management Manual serves as a basis guide for all 
personnel involved in the safety of an organization’s flight, maintenance or general 
operations. Such a manual should define the policy that governs the safety of 
operations of an aviation company. A Safety Management Manual should deliver 
a reactive and pro-active, integrated approach to safety management. Safety Man¬ 
agement should be seen as a part of an overall management process that the 
organization should adopt in order to ensure that the goals of the organization can 
be accomplished. Hazards should be identified and dealt with systematically 
through a hazard identification program that facilitates continuing improvement 
and professionalism. 


10 International Business Aviation council (IBAC) (2008), p. 16. 

11 Stolzer, Halford, and Goglia (2008), pp. 25-26. 
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14.2 Phase: Risk Collection and Assessment 

In Phase II the focus is to correct potential deficiencies within the system and to 
work on key Safety Management processes. This step should be supported by 
conducting an analysis based on information obtained through reactive data collec¬ 
tion measures. Just to mention a few, these data sources can comprise collected 
hazards, identified weaknesses in processes, audit findings and information from 
past incidents or accidents. The organization should demonstrate that it has certain 
components of the SMS in place: 

• The Safety Management System elements from Phase I 

• Reactive processes 

• Investigation and analysis procedures 

• Risk Management procedure 

• Training for personnel and assigned duties within the SMS 

• Documented policies and procedures of the SMS 

A detailed understanding of the operational systems is a prerequisite for the risk 
management process. Those systems encompass the organizational structures, 
processes and procedures, people, equipment, and facilities which have a contribu¬ 
tion to the organization’s productivity. An in depth systems engineering analysis 
will emphasize the interactions between hardware such as aircraft, software, people 
and the environment. It points out weaknesses in the identification of hazards and 
associated risks. 12 

The risk management process described in this chapter is the fundamental task to 
control risks at an acceptable level and can be seen as the key task in Safety 
Management. The process consists of identifying hazards and what kind of poten¬ 
tial risk scenarios can be derived from those hazards. Furthermore, assessing the 
risks and developing mitigation measures is the key to controlling safety risks and 
monitoring the effects of safety actions. The underlying strategy of Risk Manage¬ 
ment is that the likelihood and severity of an event occurring can be minimized. 
Risk Management is a basis for decision making regarding how to handle 
occurrences which affect aviation safety. And it is a basis for incident assessments 
about their implications and evaluating the results. A key to success is constant and 
direct communication throughout the organization. 13 


14.2.1 Risk Collection 

In order to perform the systematic and efficient collection of information on 
possible hazards, a safety database or master risk list has to be developed and 
should serve as the “corporate safety memory \ 14 Most hazards are latent conditions 


12 Stolzer et al. (2008), p. 26. 

13 Stolzer et al. (2008), p. 26. 

14 International Civil Aviation Organization (ICAO) (2009), pp. 4-8. 
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and are present within the company’s processes and operations. Identified hazards 
need to be gathered and analyzed in order to avoid fatal accidents. People are rarely 
aware of hazards; therefore, documentation plays a key role when actively manag¬ 
ing safety. Knowledge is an essential requirement for proactive hazard management 
and must be shared within the organization, especially for the management of raw 
data and assessment of hazard-related information. A historical data collection of 
hazards and safety relevant information provides a solid base for generating a 
quantitative analysis, thus allowing decisions to be based on facts rather than 
relying on personal opinions. The database has to be able to manage the raw data 
and to display it so that conclusions regarding hazards can be drawn. Consequently, 
standardizing the reporting, defining the terms (including the measurement of 
safety information), and management of the tracking and analysis of hazards are 
key prerequisites. 15 

Appendix: Master Risk List Examples show possible master risk lists, where 
identified and collected hazards have to be assessed according to their consequences 
and risks have to be prioritized accordingly. Bearing the hazards and risks in mind, 
control and mitigation strategies have to be developed by involving experts responsible 
for implementing strategies and looking at the collected data. 

Consequently, the next step is to perform an operational process analysis and 
re-evaluate the strategies by involving this data. The outcome of the data analysis 
provides Safety Management information and serves to increase overall safety by 
issuing safety bulletins and reports, as well as helping to build up seminars and 
workshops for educational functions. 16 The key to success is reliable data which 
should be collected for each flight. This data can then be used to put emphasis on 
operational issues or to categorize operations according to their level of risk. The 
feedback of the analysis can be used to adjust the collection methods towards best 
practices. Hazards should be periodically reported by staff and should be identified 
during regular, scheduled risk identification surveys, audits and inspections, or 
discovered by evaluating accidents, incidents and risky situations and should be 
documented in the risk register. 


14.2.2 Reporting Procedure and Whistleblowing 

Safety Risk Management includes specifying the means of collecting, recording, 
acting on and generating feedback about hazards and risks in daily operations. First 
of all, it must be determined what form of intervention tools have to be used to 
collect reactive information. The next paragraph shows a common example of a 
reactive approach by identifying hazards in the form of an Air Safety Report (ASR). 
Subsequently, it has to be decided which reporting system will be required and 
adapted to the organization. Three different approaches are common throughout 


15 International Civil Aviation Organization (ICAO) (2009), pp. 4.7-4.8. 

16 International Civil Aviation Organization (ICAO) (2009), p. 4.8. 
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various aviation organizations: mandatory, voluntary or confidential reporting 
systems. It is also possible to directly contact the Safety Manager and provide 
direct feedback. The reporting of safety relevant information promotes learning 
from reactive information, like already encountered incidents, and prepares the 
organization for proactive reporting to prevent safety relevant incidents in the 
future. Appendix: ASR/Hazard Reporting Procedure illustrates a possible reporting 
procedure to collect reactive and proactive safety relevant information. 

According to ICAO 17 the following key principles are to be considered when 
establishing a voluntary reporting system within the generic framework of an 
organization’s SMS. 

Trust —The reporting persons must be certain that the information they provide 
will not be used against them; otherwise, they will be reluctant to report their 
mistakes. A positive Safety Culture in the organization provides the foundations of 
a successful occurrence reporting system. 

Non-punitive —The reporting person must be protected against legal, adminis¬ 
trative or disciplinary sanctions, except in the case of gross negligence, criminal 
activity or intent. 

Inclusive Reporting Base —The systematic approach to safety management 
requires that voluntary reporting be targeted at all aspects of aircraft operation, 
such as flight operation, cabin safety, aircraft maintenance, air navigation services, 
aerodrome operation, etc. Also, collecting information on the same occurrence 
from different perspectives provides a complete analysis and understanding of 
events, and consequently of the hazards and their effects. 

Confidentiality —Non-punitive systems are based on confidential reporting. 
The person reporting an incident must be sure that his/her identity, and other 
information that may be used to identify other involved physical or legal 
personalities, will not be disclosed. In some states legislation on access to informa¬ 
tion makes it increasingly difficult to guarantee confidentiality. This could limit the 
safety occurrence reporting to the minimum required for mandatory reporting. 

Independence —Ideally, the voluntary reporting system is operated by an orga¬ 
nization that is separate from the state regulatory authorities. This organization 
collects and analyzes safety reports and feeds the results back to the regulatory 
authorities and the aviation community. 

Ease of reporting —Submitting a report should be as easy as possible for the 
reporter. The reporting forms should be readily available to anyone wishing to file a 
report. They should be easy to compile, provide adequate space for narrative and 
make maximum use of a comparable format. The forms should encourage safety 
improvement suggestions, such as how to prevent the reoccurrence of a hazard or 
how to deal with it. 

Acknowledgment —To encourage further submission of reports, the organiza¬ 
tion should clearly communicate to its personnel that the voluntary reports are a 
valuable safety asset and acknowledge the efforts made by reporting persons. 


17 International Civil Aviation Organization (ICAO) (2009). 
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Whenever possible, feedback on the actions taken in response to a report should be 
provided to the reporting person. 

Promotion—The de-identified information received from the voluntary 
reporting system should be made available to the aviation community in a timely 
manner. One form of reporting is described in the Swiss Voluntary Reporting 
Systems (SWANS). A variety of information dissemination methods should be 
used to achieve maximum exposure, for example monthly newsletters, periodic 
summaries, safety bulletins published on the Internet, etc. Such promotional activ¬ 
ity may help motivate people to further improve the reporting of safety occurrences. 

Furthermore; another form of reporting procedure which can be closely linked 
with safety management is “Whistle blowing”, which means “the disclosure hy any 
employee (former or current) of illegal , immoral , or illegitimate practices under 
the control of their employers to persons or organizations .” 18 Employees are, based 
on their insider knowledge, in the most suitable position to establish transparency 
and to inform about mismanagement and misconduct in the company 
environment. 19 

Whistle blowing, with regard to the workforce in organizations, can be split into 
four different components. One element is an individual who is willing to disclose 
company internal information and make it available outside the organization. The 
second element can be described as the conversion of that specific information into 
general information which is then available to the public. Usually, that information 
is about mistakes and mismanagement or scandalous material from internal 
sources, which is typically revealed by current or former employees of the 
company. 20 

A quite recent whistle blowing example is the case “Bradley Manning”, an 
American soldier who was arrested in May 2010 in Iraq on suspicion of having 
passed restricted material to the website Wiki Leaks. He was accused in July 2010 
of transferring classified data to his personal computer and communicating a large 
amount of data and US national defense information to an unauthorized source. 21 

Despite the fact of benefitting the public by revealing this secret information, 
whistleblowers are normally not aware of the negative consequences they have to 
face after their waiver of professional secrecies. 22 Colleagues and superiors may no 
longer welcome people who they regard as traitors. Often responsibilities will be 
removed or whistleblowers transferred to less interesting tasks and projects. 23 

Nevertheless, an active, implemented whistle blowing system can prevent 
organizations from the exposure of harmful information to external sources. 


18 Miceli and Near (1992), p. 15. 

19 Odermatt (2005), p. 1. 

20 Johnson (2003). 

21 Nicks (2010). 

22 Professional secrecy is a privilege that ensures that any information your employer provides to 
you is kept confidential. 

23 Devine and Maassarani (2011), p. 16. 
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It can serve as a shield to keep the report within the company and to reflect the 
concern internally. This sort of system can prevent a company’s loss of reputation, 
especially when safety is concerned. 24 

14.2.2.1 Air Safety Report 

Each aviation organization should make every effort to ensure the highest possible 
safety standards for its flight operations. In addition to ongoing training and 
education, this should also involve the analysis of events adversely affecting the 
safety of operations. A prerequisite is to record and analyze safety relevant events. 
In order to ensure the collection of data affecting flight safety, and to analyze such 
data based on defined criteria, an Air Safety Report (for aircraft operators) serves as 
the best solution to raise flight safety standards within an organization. By filing 
their reports, all staff members help to raise the level of safety by identifying 
possible hazards within daily operations. In particular, reports should include 
descriptions of events which affected flight safety. In addition, reporting failures 
or other safety-relevant situations allows operators to take a proactive approach. 
The Safety Manager can encourage the relevant employees to take preventive 
measures, thus raising the level of flight safety. 

Experience gathered from accident analysis shows that the possibility of anony¬ 
mous reporting should be provided. This feature, which gives the staff the option to 
report anonymously or officially, should be included in the reporting system. 
However, when employees decide to file their reports anonymously, there is no 
possibility to acquire more details from the reporters. When staff members prepare 
their reports, they can classify their information as “anonymous” by not giving their 
names. Appendix: Sample Air Safety Report provides a sample of an Air Safety 
Report where hazards or flight safety relevant information can be collected. Appendix: 
Safety Manager Evaluation Sheet shows the assessment of the collected hazard which 
has to be assessed according to the risk matrix in Fig. 14.2. 

14.2.2.2 Swiss Voluntary Reporting Systems (SWANS) 25 

The Swiss Voluntary Reporting System offers, in addition to the mandatory 
reporting system of the Swiss Federal Office of Aviation (FOCA), the possibility 
of reporting occurrences and safety critical events on a voluntary and anonymous 
basis. This reporting system aims to encourage increased reporting of safety-related 
occurrences. Reports should be filed if an operational interruption, defect, fault or 
other irregular circumstance that has or may have influenced the safety of an 
aircraft, its occupants or any other person occurs. It is also possible to report 
occurrences which as yet present no risk, but which could, if not corrected, present 
a potential risk to the safety of the aviation system. 

The reports are analyzed by FOCA’s Safety and Risk Management office, which 
is independent and completely separate from the divisions responsible for 


24 Pittroff (2011), p. 64. 

25 Bundesamt fur Zivilluftfahrt (BAZL) (2007). 
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supervisory tasks and conducting criminal proceedings. This reporting system is 
part of a new culture - a “just culture” as described in Part I, Sect. 4.8. Civil aviation 
actors are encouraged to openly report important safety-related information in a 
proactive way. The analysis of the collected reports helps to identify potential risks 
in aviation in order to learn from them by taking appropriate and proactive 
measures to mitigate risks to an acceptable level before they cause any harm. 

However, FOCA also states that the new reporting system does not always offer 
protection from prosecution. FOCA only forgoes initiating criminal proceedings 
under two conditions: 

• First, the occurrence is not a deliberate or grossly negligent breach of the 
applicable standards and regulations 

• Second, the office learned of the occurrence through this reporting system. 

The SWANS reports can be filed by anyone directly or indirectly involved in 

aviation, who uses aviation services or who makes safety-related observations in 
this field. Reports can be filed at FOCA anonymously or openly by means of a 
SWANS report as illustrated in Fig. 14.1. 

The reporting form is available in electronic form online and can be sent to the 
SWANS reporting office by mail, fax or e-mail. Appendix: SWANS Report shows 
the SWANS report format. The submitted information is handled by FOCA using 
the following process flow. 


14.2.3 Prioritization in the Master Risk List and Elimination 
of Irrelevant Risks 

All collected risks are documented in a so called master risk list. Appendix: Master 
Risk List Examples of Sect. 14.2.1 illustrates two different examples of a master 
risk list. This specific list provides an overview of all the risks an organization faces 
at a given point in time, depending on its actual revision status. In times of budget 
cuts and limited resources it is not possible to manage all the risks effectively and 
mitigate them to an acceptable level. For this reason, a prioritization of the 
documented risks has to be performed with the focus on the substantial top-level 
risks which have to be effectively mitigated. Throughout this prioritization a 
thorough assessment of the documented risks has to be achieved, which is described 
in the next chapter. The prioritization of the risks is based on the assessment and the 
mapping in the risk matrix. Risks which have been classified as irrelevant are still 
documented, but deleted from the master risk list. 


14.2.4 Risk Assessment of Relevant Risks 

The Safety Manager or a pre-determined Safety Action Group (SAG), consisting of 
managers from different areas within the organization, are responsible for assessing 
all reported events and hazards on the basis of a Risk Assessment Matrix which 
allows determining a specific risk indicator for each occurrence. In the aviation 
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Fig. 14.1 SWANS reporting process (Bundesamt fur Zivilluftfahrt (BAZL), 2009). Source : 
Adapted from BAZL 


environment, not all risks can be eliminated. They are inherent in the daily 
operations. The Risk Assessment, however, allows the analysis of each individual 
hazard and identifies the level of risk to the organization. Based on these 
assessments, suitable mitigation measures can be implemented in order to avoid 
future reoccurrences. 
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Fig. 14.2 Risk matrix. Source : Muller, Lipp, and Pliiss (2007) 

The Risk Assessment Matrix is a graphic expression of risk as the product of 
probability on the x axis and severity of potential consequences on the y axis. The 
Risk Assessment Matrix shows an assigned value and has a broad application for 
qualitative risk determination, as well as graphically presenting the risk criteria. 
Each criterion has an individually tailored financial implication and a time compo¬ 
nent to make the risk assessment more structured and transparent. The evaluation 
consists of identifying a value from 1 to 25 (which can be tailored according to 
individual operational needs) for all occurrences or hazards, providing a view of the 
severity of consequences and the probability of each individual occurrence. 

After the identification of a value for the severity and the probability of an 
occurrence, both values are multiplied. The result is the risk indicator for this 
specific occurrence. Based on this risk indicator, the risk is classified as acceptable, 
tolerable or unacceptable on the basis of the following risk matrix (Fig. 14.2). 

In line with the risk indicators identified, the Safety Manager should initiate the 
measures described below: 

• Indicators 10-25: risk unacceptable. 

Establish immediate contact and liaison with the Accountable Manager and 
direct initiation of appropriate mitigation measures. 

• Indicators 4-9: risk tolerable. 

The Safety Manager briefs the team; no immediate mitigation measures are 
required; any suitable mitigation measures will be decided. 

• Indicators 1-3: risk acceptable. 

No mitigation measures are required; the occurrence is included in the statis¬ 
tics and listed at the next scheduled safety meeting. 

The financial values for the severity scenarios have to be individually tailored to 
each organization. It might happen that a loss of 5M CHF poses an intense threat to 
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the survival of an organization. Therefore, each organization has to be aware of 
setting their individual financial risk criteria. It might be interesting to see how the 
criteria for assessing the financial implications can be defined in concrete terms. 

A first approach is the average availability of liquidity. Exceeding liquidity, for 
whatever reason, leads to illiquidity and thus to bankruptcy for an organization. 

A second approach is the maximum possible net financial debt to EBITDA. If 
this maximum leverage factor is too high, credit agreements can be terminated by 
the banks. Take the example when the EBITDA of a company is currently four 
million and external ineptness accounts for six million, at a maximum allowable 
leverage factor of 2.5, damage of four million would already be a disaster for the 
company. 

It might seem logical to insure aircraft against damage. If we take a look, for 
example, at a commercially operated helicopter which crashes on a house, killing 
the crew, injuring people on the ground and destroying the house the whole scenario 
could be insured against. This would mean no financial loss for the company and no 
risk for the continuation of daily operations. Nevertheless, as we have learned from 
the past, the reputation of a company cannot be insured. Future customers might 
refuse to fly or use further services from the company again which would induce 
financial losses and might endanger the health and existence of that company. 
Without further customers the company will go bankrupt, even though they were 
insured against all losses. Therefore, protecting the reputation of a company by 
rigid safety measures and constant risk management appears to be the best and most 
sustainable insurance. 


14.3 Phase: Risk Mitigation 

Upon assessment of the safety risk in terms of severity and probability, and 
visualizing the safety risk in the safety risk matrix, the outcome is only an intangible 
product of an investigation (Fig. 14.3). In order to materialize the output from the 
previous assessment, the safety risk has to be further categorized to analyze its 
potential damage to a safe operation. This second step classifies the safety risk 
according to the organization’s tolerability. 26 

The first category “intolerable region”, matrix values 10-25, contains all safety 
risk criteria marked red. If a safety risk falls into this category, it is unacceptable 
under any circumstances. The most probable solution in this case would be to 
cancel the operation. If not possible, then it is necessary that “controls must be 
adopted so that a subsequent iteration of the risk index calculation results in the 
arrival at a yellow or green cell”. 27 In the second category, matrix values 4-9, the 
safety risks which are marked yellow, are acceptable based on the mitigation 
processes that should follow. All remaining safety risks that fall in the area with 


26 International Civil Aviation Organization (ICAO) (2009), pp. 5-6-1. 
27 Stolzer et al. (2008), p. 141. 
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Fig. 14.3 Safety tolerability 
matrix (International Civil 
Aviation Organisation 
(ICAO), 2009, pp. 5-6-3). 
Source : ICAO 


As Low 

As Reasonably 
P racticable 



the green marked cells, matrix values 1-3, are acceptable without starting a 
mitigation process due to their unlikely occurrence or negligible severity during 
normal operations. The implementation of safety measures is in the hands of the 
Safety Manager or Safety Action Group who monitor and supervise the implemen¬ 
tation. Results should be concurrently documented and published internally in a 
lessons learned library. The purpose of the risk mitigation step is to reduce the 
safety risk through mitigation to a level that is as low as reasonably practicable 
(ALARP). The underlying meaning is that the safety risk should be reduced using 
all available resources within the organization. 


14.3.1 Investigate Possible Mitigation Measures 

Not every mitigation measure leads to a favorable outcome. In Part II the concept of 
production and protection was introduced, which is now of great relevance. At this 
point possible mitigation solutions have to be found in order to manage the known 
hazards and associated risks. Keeping this in mind, it is also important to take an 
economic decision which is in line with the safety measures. 

There are different ways for organizations to choose the most appropriate 
strategy to control a known risk associated with the provided service. The following 
examples provide three ways of addressing specific risks: 

• Risk avoidance. Risky task, procedure, operation or activity is avoided if the 
associated risk is determined to exceed the (economic) benefits. 

• Loss reduction. Measures are taken to reduce the frequency of occurrence of 
unsafe (unwanted) events or the severity of their effects (consequences). 

• Control of exposure (by separation or duplication). Action is taken to isolate the 
risks or to ensure redundancy to protect against the risks (e.g. use of 
non-flammable insulation materials or back-up systems to reduce the likelihood 
of total system failure, etc.). 28 

Establishing the correct and effective risk mitigation strategies and measures is a 
challenging task. Often, experience and knowledge of the particular operational 


28 


Skybrary (2013a, 2013b). 
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environment is not sufficient to apply the right mitigation strategy; it is hard to 
overcome the rigid mindsets and biases of those who are closest to the problem. In 
many cases, an open mindset and the ability to be creative and to think outside the 
box are of great relevance. 

It is not possible to control all risks to an extent that they are no longer of 
relevance; in most cases it is not economically feasible to apply a certain strategy 
because the protection, in terms of cost, would supersede the production (benefit). 
As mentioned in the previous chapter, the risks have to be at the “as low as 
reasonably practicable” level. This requires a balance of risk against time, cost 
and effort to apply a mitigation measure. 29 


14.3.2 Cost-Benefit Analysis 

As already mentioned in Part II in Chap. 4, most of the time, cost is the main driver 
influencing the reduction of a safety risk to the lowest reasonably practicable level. 
Therefore, it is necessary to include a cost-benefit analysis. A cost-benefit analysis 
is a formal technique by which the benefits of an operation are weighed against its 
costs. 30 In this case the technique analyses the cost and benefits of reducing a safety 
risk in order to find the best trade-off between the costs of reducing the safety risk 
and the thus received level of safety. If a safety risk reaches the status of ALARP, a 
further reduction of the safety risk would be outweighed by the extra costs. When 
reaching the status of ALARP it does not mean, for the organization, that the safety 
risk is eliminated. It only means that the organization accepts the residual value of 
the safety risk that is left because it is outweighed by the financial benefits. 31 Some 
factors of a cost-benefit analysis cannot be predicted exactly, especially when it 
comes to qualitative, less numeric figures, which also have weight in this analysis. 32 
For example: 

• Managerial. Is the safety risk consistent with the organization’s safety policy 
and objectives? 

• Legal. Is the safety risk in conformance with current regulatory standards and 
enforcement capabilities? 

• Cultural. How will the organization’s personnel and other stakeholders view the 
safety risk? 

• Market. Will the organization’s competitiveness and well-being vis-a-vis other 
organizations be compromised by the safety risk? 

• Political. Will there be a political price to pay for not addressing the safety risk? 


29 Skybrary (2013a, 2013b). 

30 Case and Fair (2007), p. 129. 

31 International Civil Aviation Organisation (ICAO) (2008). 

32 International Civil Aviation Organization (ICAO) (2009), pp. 5-7-4. 
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Fig. 14.4 Cost-benefit analysis. Source : Hecker (2012) 

• Public. How influential will the media or special interest groups be in affecting 
public opinion regarding the safety risk? 33 

When applying a cost-benefit analysis, the organization has to distinguish 
between direct and indirect costs and what level of impact they have on the 
organization—including direct and indirect benefits. The cost-benefit analysis 
can be illustrate like in Fig. 14.4. 

The results of costs and benefits can be illustrated as consolidated outcomes in 
the “Result Cockpit”. The final result cockpit provides a summary of the collected 
and calculated data and serves as a basis for decision making. In general, the cost- 
benefit analysis should provide a numerical overview of all relevant key perfor¬ 
mance indicators, cost-benefit relations, a graphical illustration of the costs, sum at 
risk and damages, as well as a qualitative explanation of the indirect benefits. The 
goal is to present all relevant data accessible, in a comprehensible and effective 
way, to the decision makers. 


14.3.3 Determination of Mitigation Measures 

Once the mitigatable economic risks are identified, effective mechanisms have to 
be applied to understand the factors contributing to their occurrence. Any mecha¬ 
nism that is effective in reducing risk can modify one or more of these factors. 
Reducing the probability of occurrence or the severity of the consequences can be 
one mitigation measure. In order to reach the desired risk reduction level, the 
implementation of more than one mitigation measure may be required. 34 There 
are some possible approaches to effective risk mitigation outlined by ICAO 35 : 

• Revision of the system design (before system implementation); 

• Modification of operational procedures; 

• Changes to staffing arrangements; and 


33 International Civil Aviation Organisation (ICAO) (2008). 

34 Skybrary (2013a, 2013b). 

35 International Civil Aviation Organization (ICAO) (2009). 
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• Training of personnel to deal with the hazard. 

The importance of a proposed risk mitigation measure is that the expected safety 
improvement potential must be thoroughly assessed in order to exclude new risks in 
the system. Finally, constant monitoring will assure that the implemented risk 
mitigation measure is effective. Therefore, it is fundamental to verify that the 
mitigation measures work as initially intended. 36 


14.3.4 Publication and Documentation 

All reported incidents and hazards, related findings and safety performance 
indicators, as well as any safety mitigation measures should be recorded and 
documented by the Safety Manager, and be published and made accessible to all 
staff members. Reports should be presented anonymously without disclosing any 
personal data. Publication is not aimed at assigning blame or exposing individual 
staff members (reports are published anonymously). Making the reports public is 
aimed more at raising risk awareness among all staff to achieve an ongoing 
improvement with a view to constantly improving safety levels and to sharing 
important experiences. Furthermore, the gathered data has to be analyzed. The 
outcome of the data analysis provides safety management information and serves to 
increase overall safety by issuing safety bulletins and reports, while also helping to 
build up seminars and workshops for educational functions. 37 The key to success is 
reliable data which should be collected for each flight or operation. This data can 
then be used to put emphasis on operational issues or to categorize operations 
according to their risk. The feedback of the analysis can be used to adjust the 
collection methods towards best practices. 


14.3.5 Emergency Response Planning (ERP) 

A strong process for risk mitigation is the Emergency Response Plan—the most 
critical test of an organization’s credibility is at the time of a crisis. The danger of 
having the company’s reputation wounded is greatest during the first hours. There¬ 
fore, disseminating information, either from a central company source or directly 
dealing with the media at the accident site must be a controlled process. An 
Emergency Response Plan should be designed to assist company personnel in 
fulfilling the responsibilities of the company and in responding to aircraft acci¬ 
dent/crisis situations and incidents in the most rapid way possible. It is a structured 
approach to handling a crisis and is designed to assist company personnel in 
responding to aircraft accidents and incidents in the most rapid way possible. It 
characterizes response procedures for all occurrences which are not ‘daily 


36 Skybrary (2013a, 2013b). 

37 International Civil Aviation Organization (ICAO) (2009), p. 4.8. 
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business’, and requires a specific approach. The ERP acts as the guideline for the 
actions to be taken during the first hours after an accident or incident occurs. All 
procedures are written down in the form of checklists and serve as a guideline for 
each member of a specified “Crisis Team”. These checklists ensure a standardized 
performance and documentation of all activities related to the crisis and must be 
kept readily available 24 hours a day. A company must ensure that all staff that may 
potentially be involved in an emergency situation are fully aware of the contents of 
the checklists, and that all procedures are kept up to date and all necessary 
arrangements remain valid. The checklists also contain necessary forms, telephone 
numbers and addresses for the accident response. 38 

It is of great relevance that all actions during a crisis situation are tracked. This 
means that a log of key events and decisions be maintained throughout the response. 

The Emergency Response Plan can be made available via hardcopy folders or 
via an integrated software solution which can be accessed by each involved 
employee. The documentation can be divided into two parts. 

Part I, provides all the necessary background information concerning definitions 
and policies which could be specified as the Emergency Response Manual. Fur¬ 
thermore, this part should give explanations on how to use the checklists. 

Part II, should be written as different checklists in a simple “need to do” format, 
giving step by step actions to be taken in a crisis in and how to document the 
performed action. Moreover, Part II also contains telephone lists and useful 
addresses to facilitate communication. 

In general all the planning, and identifying of external entities that will interact 
with the organization during emergency situations, should be made in advance. 
Each employee who is involved in emergency response activities should have his 
own checklist which should be harmonized with the corresponding internal 
checklists of the other crisis team members. All internal emergency response 
activities should be coordinated with subcontractors and suppliers in order to 
identify gaps in reporting procedures or possible information or data leaks. Appen¬ 
dix ERP Checklist Emergency Director a checklist for an Emergency Director who 
would be the coordinator and main point of contact in an emergency situation. 


14.4 Phase: Continuous Improvement 39 and Change 
Management 

In order to continuously improve the Safety Management System, the organization 
should establish and apply processes which support the investigation of the causes 
of deviations from the prescribed safety standards. In the case of a safety critical 
event, the process for the review of the SMS should be exclusively based on 
immediate corrections and not on a designated periodic inspection plan. These 


38 Department of Transportation (DOT) Canada (2004). 
39 Bundesamt fur Zivilluftfahrt (BAZL) (2009). 
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safety performance reviews have to be conducted periodically and must assess the 
adequacy and effectiveness of the different SMS components and the effectiveness 
of the corrective and improvement measures. The organization should appoint a 
group of people—from top management levels (adjusted to the size and the 
complexity of the organization)—that are responsible for the safety objectives 
which ensure the assessment of the Safety Management System. This designated 
group of people has to be equipped with the necessary competencies to make 
decisions in the following listed areas: 

• Improvement and effectiveness of the SMS 

• Establishment/implementation of the safety policy in all organizational areas 

• Allocation of the necessary funds to achieve the safety goals. 

The assessment of SMS includes: 

• Results of internal and external audits 

• Observations concerning degree of fulfillment of safety goals 

• Findings from hazard and event analysis 

• Analysis and results from intemal/external feedback 

• Status of corrective and preventive measures 

• Follow-up actions from previous system assessments 

• Changes that may affect the SMS—recommendations for improvements 

• Exchange of best processes across the organization. 

A sufficient amount of data has to be available to provide the necessary trace- 
ability and reliability of the assessment system. Decisions resulting from the 
assessment have to be disclosed within the organization by executive management 
to demonstrate how the assessment process leads to new objectives which stimulate 
the success of the organization. In addition, the organization should compare its 
SMS with that of other organizations and be an active supporter of SMS within the 
aviation industry. 

In connection with continuous improvement, Change Management has become a 
central buzzword in the current economic environment. Globalization and its 
inherent changes have shaped the managerial landscape and established the term 
Change Management as a fundamental process for organizations that constantly 
have to adapt to the fast changing business environment. Change Management can 
be clearly distinguished from strategic management. While strategic management 
focuses on adaption to the external business environment, Change Management 
focuses on the conversion of internal company processes to the desired organiza¬ 
tional state. Change Management does not focus on the future result, but defines the 
process of moving from the status quo to a desired future condition . 40 

Prior to undergoing any significant change that could impact flight operations, a 
Change Management Process should be undertaken. Possible events that can 
indicate the need for a change management process are: 

• The introduction of a new aircraft type 


40 


Lauer (2010), pp. 3-4. 
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• Significant change in the nature of the operation (e.g., dynamic business growth, 
new operating environment, etc.) 

• Changes in hiring or scheduling practices 

• Changes to organizational structure 

• Significant change in maintenance arrangements, etc. 

As soon as a change event has been determined, the Safety Risk Assessment 
should be reviewed. On the basis of that assessment, and any other available 
information, the Safety Manager, or the person to whom the responsibility is 
delegated, should develop a Change Management Plan. The Change Management 
Plan should include an assessment of the changes required to items, such as: 

• Standard operating, maintenance procedures and processes 

• Personnel training and competency certification 

• Amendment of Operational Manuals Part A-D 

• Maintenance Control Manual or Maintenance Procedures Manual; and/or 

• Aircraft SOPs, etc. 

It should also include a plan for the development of the required changes. When 
the required changes have been developed, a Safety Audit should be conducted 
before the change is implemented. After implementation of the change, the Safety 
Manager should review the system performance at regular intervals. If there is any 
doubt about the effectiveness of the Change Management Process, a more compre¬ 
hensive post implementation review or a Safety Audit should be conducted. 


14.4.1 Audit 

A Safety Audit is an independent evaluation of the Safety and Risk Management 
System. While such an audit may be done to meet an external requirement, the 
prime purpose of a Safety Audit is to identify areas in which safety performance 
may be evaluated and enhanced. Safety Audits should be held at least once a year 
and may be split into different modules. 

A Safety Audit is used to validate the safety-risk assessment, which in turn is 
employed as the basis to evaluate the safety performance. It may include: 

• Visits to the operating site (Home-base); 

• Interviews with managers and operational staff within the company; 

• Document reviews (e.g. for completeness, currency and appropriateness); and 

• An evaluation of the Safety Management tools being applied 

Findings from Safety Audits should be tracked in the hazard identification 
system, and may be used to update the safety-risk assessment. 

14.4.1.1 Internal and External Audits 

The aim of internal audits is the assessment and evaluation of all major internal 
organizational processes at least once per year. Thus, permanent and systematic 
target-performance comparisons of all processes and procedures should be possible. 
This will obtain an objective evaluation and identification of deficiencies to allow a 
subsequent proposal and initiation of corrective and preventive measures. The aim 
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of external audits is to monitor subcontractors according to contractual obligations 
and negotiated standards. 

The audit process can, in general, be divided into three steps, preparation, 
implementation and completion. Moreover, it focuses on the fulfillment of the 
legal and contractual requirements of different areas and processes. Furthermore, 
the roles of the designated responsible persons are monitored using specific criteria 
for conducting audits in the form of question catalogs. All results are logged, 
evaluated and reported and reconciled with previous results along with their 
corresponding improvement and implementation measures. 

The final audit report should contain all detected faults, deviations, deficiencies 
and potential for improvement, with an overall evaluation of the audited area and 
individual evaluation of the audited processes. 

Furthermore, corrective and preventive measures with responsibilities and ful¬ 
fillment dates should be set, and an objective evaluation of the implementation and 
efficiency of these initiated corrective measures should be monitored. 


14.4.2 Safety Promotion and Training 

Safety promotion is a crucial part of the development and retention of a sound SMS. 
The promotion should guarantee that all members of staff are appropriately trained 
to work with the SMS and the organization’s safety culture; each employee is 
encouraged to convey safety-relevant information and knows which actions have to 
be taken. The modes of promotion include safety policies and procedures, 
newsletters, and presentations which should harmonize and develop the 
organization’s safety culture. The safety promotion processes must constantly be 
assessed by informal workplace meetings between employees and accountable 
managers to evaluate their impact on the organization . 41 

Safety, as the core value of an aviation organization, should underpin every 
activity within the company. The organization should be structured to focus on 
safety issues at all levels, and safety should be the first agenda item at every 
executive meeting. There should be a safety culture in place which positively 
encourages the reporting of all safety-related incidents and events. Each incident 
or safety critical event should be reported, no matter how minor it may seem. In 
order to promote safety as the core value, review, revise and communicate changes 
to your organization’s SMS usage and standards. Use media like safety newsletters, 
notices and bulletins, websites and e-mail to disseminate this information. Effective 
methods to promote safety among others in this phase should include: 

• Share “lessons learned” that promote improvement of the SMS 

• Identify methods to communicate successes of the SMS (i.e. after training is 
completed, trends identified in the documentation submitted, changes to the 
safety performance indicators, etc.) 


41 


Safety Regulation Group Civil Aviation Authority (CAA) (2008), p. 16. 
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• Review the safety policy including the reporting policy 

• Promote participation by all personnel in the identification of hazards 

There should be a documented process for identifying training requirements, and 
a validation process that measures the effectiveness of the training. An organization 
needs to ensure that all employees receive appropriate safety training, where the 
scope of the safety training is suitable to each individual’s involvement in the SMS. 

• Accountable Managers should have a thorough understanding and awareness of 
SMS roles and responsibilities, the company’s safety policy, SMS safety 
standards and the measurements to assure them 

• Senior Managers need to understand and communicate the regulatory 
requirements for their organization and the safety standards and assurance 
processes 

• Managers and supervisors should be aware of the basic safety processes, like 
hazard identification, Risk Management and Change Management processes to 
learn from past events and to apply certain mechanisms to increase the safety 
level 

• Operational employees should have a basic overview of the SMS fundamentals 
and the organization’s safety policy . 42 


42 


Civil Aviation Authority-Safety Regulation Group (2008), p. 15. 
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Glossary 43 ’ 44 

Accident (Aircraft) An occurrence associated with the operation of an aircraft 
that takes place between the time any person boards the aircraft, with the 
intention of flight, until such a time as all such persons have disembarked, in 
which a person is fatally or seriously injured, the aircraft sustains substantial 
damage, or the aircraft is missing or is completely inaccessible. 

Air Operator Certificate (AOC) A certificate authorizing an operator to carry out 
specified commercial air transport operations. 

Air Traffic Control (ATC) A service provided for the purpose of controlling 
aircraft movement in a manner that: (a) Prevents collisions on the maneuvering 
area between aircraft and obstructions, (b) Expedites and maintains an orderly 
flow of air traffic. 

Audit A structured and objective assessment that determines the level of confor¬ 
mity with specific standards. 

Change Management A systematic approach to identifying and analyzing inter¬ 
nal and external changes with the potential to affect the functionality of an 
organization, and assess and control the risks associated with such changes. 

Compliance To fulfill, meet or be in accordance with requirements specified in 
standards or regulations. 

Defenses Specific mitigating actions, preventive controls or recovery measures put 
in place to prevent the realization of a hazard or its escalation into an undesirable 
consequence. 

Errors An action or inaction by an operational person that leads to deviations from 
organizational or operational intentions or expectations. 

Emergency Response Plan (ERP) A formal plan that defines the actions taken 
following an accident to ensure an orderly and efficient transition from normal to 
emergency operations, and then safe continuation of operations or the return to 
normal operations as soon as possible. An ERP specifies the: (a) Delegation of 
emergency authority and assignment of emergency responsibilities; 
(b) Authorization for action by key personnel; (c) Coordination of efforts to 
cope with the emergency. 

Fatigue A physiological state of reduced mental or physical performance capabil¬ 
ity resulting from sleep loss or extended wakefulness, circadian phase, or 
workload (mental and/or physical activity) that can impair a crew member’s 
alertness and ability to safely operate an aircraft or perform safety-related duties. 

Fatigue Risk Management System (FRMS) A data-driven means of continu¬ 
ously monitoring and managing fatigue-related safety risks, based upon scien¬ 
tific principles and knowledge, as well as operational experience that aims to 
ensure relevant personnel are performing at adequate levels of alertness. 


43 International Air Transport Association (IATA) (2012). 

44 International Civil Aviation Organization (ICAO) (2009). 
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Framework for Safety Management Systems (SMS) The structure of a safety 
management system (SMS), published in ICAO Annex 6, comprising the 
4 components and 12 elements that define the minimum requirements for SMS 
implementation. 

Hazard (Aircraft Operations) An existing or potential condition that could lead 
to or result in injury to or death of persons and/or damage to or loss of an aircraft 
in operation. 

ICAO Annexes Additional sections to the ICAO Convention which are 
guidelines, provided for the various national aviation authorities, for use in 
developing civil aviation rules and regulations that govern flight operations in 
their respective states. 

Quality Management System (QMS) The aggregate of the organizational 
activities, plans, policies, procedures, processes, resources, responsibilities, 
and infrastructure implemented to ensure all operational activities satisfy cus¬ 
tomer and regulatory requirements. A controlled documentation system is used 
to reflect the plans, policies, procedures, processes, resources, responsibilities 
and the infrastructure used to achieve a continuous and consistent implementa¬ 
tion and compliance. 

Safety (Operational) A condition in which the risk of injury or damage occurring 
during operations is limited to an acceptable level. 

Safety Action Group (SAG) A high level tactical committee within an SMS that 
comprises designated line managers and representatives of front line personnel. 
It takes strategic direction from the SRB and addresses the implementation and 
effectiveness of risk control actions in operations. See Safety Management 
System (SMS) and Safety Review Board (SRB). 

Safety Assurance The component of a Safety Management System that comprises 
processes for: (a) Safety performance monitoring and measurement; (b) The 
management of change; (c) Continual improvement of the SMS. See Safety 
Management System (SMS). 

Safety Culture The extent, to which an organization actively seeks improvements, 
vigilantly remains aware of hazards, and utilizes systems and tools for continu¬ 
ous monitoring, analysis, and investigation. It includes a shared commitment 
amongst personnel and management to personal safety responsibilities, confi¬ 
dence in the safety system, and a documented set of rules and policies. The 
ultimate responsibility for the establishment and adherence to sound safety 
practices rests with the management of the organization. 

Safety Management System (SMS) A systematic approach to managing safety 
within an organization, including the necessary organizational structures, 
accountabilities, policies and procedures. As a minimum, an SMS: 
(a) Identifies safety hazards; (b) Ensures that remedial action necessary to 
maintain an acceptable level of safety is implemented; (c) Provides for continu¬ 
ous monitoring and regular assessment of the safety level achieved; and 
(d) Aims to make continuous improvement to the overall level of safety. 
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Safety Promotion The component of an SMS that provides support for the 
processes associated with safety risk management and safety assurance, and 
defines: (a) Training and education; (b)Safety communication. See Safety Assur¬ 
ance, Safety Management System (SMS) and Safety Risk Management. 

Safety Review Board (SRB) A strategic committee within an SMS that comprises 
senior management officials; addresses high level safety issues associated with 
an operator’s policies, resource allocation and organizational performance mon¬ 
itoring. See Safety Management System (SMS) and Safety Action Group (SAG). 

Safety Risk An assessment, expressed in terms of predicted probability and 
severity of the consequence(s) of a hazard to aircraft operations, with severity 
using as a reference the worst foreseeable or credible outcome. See Hazard 
(Aircraft Operations). 

Safety Risk Management The component of a Safety Management System that 
comprises: (a) Hazard identification processes; (b) Risk assessment and mitiga¬ 
tion processes. See Safety Management System (SMS). 

State Safety Program (SSP) An integrated set of regulations and activities 
established by a state, aimed at managing civil aviation safety. 

Organizational culture Characteristics and safety perceptions among members 
interacting within a particular entity. Organizational value systems include 
prioritization or balancing policies covering areas such as productivity versus 
quality, safety versus efficiency, financial versus technical, professional versus 
academic, and enforcement versus corrective action. 

Risk mitigation The process of incorporating defenses or preventive controls to 
lower the severity and/or likelihood of a hazard’s projected consequence. 
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Appendix: SMS Gap Analysis 45 


# 

Aspect to be analyzed or question to be 
answered 

Status 

Description 

Component 1 - SAFETY POLICIES AND OBJECTIVES 

Element 1.1— Management commitment and responsibility 

1 

Is a Safety Management System with defined 
components established, maintained and adhered 
to? 



2 

Is the Safety Management System appropriate to 
the size and complexity of the service provider? 



3 

Is there a safety policy in place? 


- 

4 

Has the service provider based its Safety 
Management System on the safety policy? 



5 

Is the safely policy approved and promoted by 
die Accountable Executive? 



6 

Is the safety policy reviewed periodically? 



7 

Is there a formal process to develop a coherent 
set of safety objectives? 



S 

Are the safety objectives linked to the safety 
performance indicators, safety performance 
targets and safety requirements? 



9 

Are the safety objectives publicized and 
distributed? 



10 

Is there a policy in place that ensures effective 
safety reporting of safety deficiencies, hazards 
or occurrences including the conditions under 
which protection from disciplinary and/ or 
administrative action applies? 



Element 1 2 - Safety accountabilities of managers 

11 

Has the service provider identified an 
Accountable Executive who has ultimate 
responsibility and accountability, on behalf of 
the service provider, for the implementation and 
maintenance of the SMS? 



12 

Does the Accountable Executive have 
responsibility for ensuring that the Safety 
Management System is properly implemented 
and performing as required in all areas of the 
service provider? 




(continued) 
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# 

Aspect to be analyzed or question to be 
answered 

Status 

Description 

13 

Does the Accountable Executive have full 
control of the financial resources required for the 
operations authorized to be conducted under the 
operations certificate? 



14 

Docs the Accountable Executive have full 
control of the human resources required for the 
operations authorized to he conducted under the 
operations certificate? 



15 

Does the Accountable Executive have final 
authority over operations authorized to be 
conducted under the operations certificate? 



Element 1.3 - Appointment of key safety personnel 

16 

lias a qualified person been appointed to 
manage and oversee the day-to-day operation of 
the SMS? 



17 

Does the person overseeing the operation of the 
SMS fulfill the required job functions and 
responsibilities? 



18 

Are the safety authorizations, responsibilities 
and accountabilities of personnel at all levels of 
the organization delined and documented? 



Element L4 SMS implementation plan 

19 

Has the service provider developed an SMS 
implementation plan that ensures that the SMS 
will meet the organization's safety needs? 



20 

Has the SMS implementation plan been 
developed by a person or a planning group 
which comprises an appropriate experience 
base? 



21 

Has the person or planning group received 
enough resources (including time for meetings) 
for the development of the SMS implementation 
plan? 



22 

lias the SMS implementation plan been endorsed 
by the senior management of the service provider? 



23 

Is the SMS implementation plan regularly 
reviewed by the senior management of the 
service provider? 



24 

Does the SMS implementation plan propose 
implementation in phases? 




(continued) 
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u 

Aspect to he analyzed or question to he 
answered 

Status 

Description 

25 

Does the SMS implementation plan explicitly 
address the coordination between the service 
provider's SMS and the SMS of other 
organizations the service provider must interface 
with during the provision of services? 



Element 1.5 — Coordination of emergency response planning 

26 

Does the service provider have an emergency 
response/contingency plan appropriate to the 
size, nature and complexity of the organization? 



27 

Have the emergency response/contingency 
procedures been documented, implemented, and 
assigned to a responsible manager? 



28 

Are the emergency response/contingency 
procedures periodically reviewed as part of the 
management review of the SMS, and after key 
personnel and organizational changes? 



29 

Does the service provider have a process to 
distribute and communicate the content of the 
emergency response/contingency procedures to 
all personnel? 



30 

Does the service provider conduct drills and 
exercises with all key personnel at specified 
intervals? 



31 

Does the service provider coordinate its 
emergency response/contingency procedures 
with the emergency/response contingency 
procedures of other organizations it must 
interface with during the provision of services? 



Element L6 - Documentation 

32 

Has the service provider developed and 
maintained SMS documentation, in paper or 
electronic form? 



33 

Is the SMS documentation developed in a 
manner that describes the SMS and the 
consolidated interrelationships between all the 
SMS components? 



34 

Has the service provider developed a Safety 
Management System Manual (SMSM) as a key 
instrument for communicating the organization's 
approach to safety to the whole organization? 



35 

Does the SMSM document all aspects of the 
SMS, including the safety policy, objectives, 
procedures and individual safety 

accountabilities? 




(continued) 
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u 

Aspect to he analyzed or question to he 
answered 

Status 

Description 

36 

Does the SMSM clearly articulate the role of 
Safety Risk Management as an initial design 
activity, and promote the role of safety assurance 
as a continuous activity? 



37 

Are relevant areas of SMS related 
documentation incorporated into approved 
documentation, such as Company Operations 
Manual, Maintenance Control/Policy Manual, 
Airport Operations Manual, when applicable? 



38 

Does the service provider have a records system 
that ensures the generation and retention of all 
records necessary to document and support 
operational requirements? 



39 

Is the service provider's records system in 
accordance with applicable regulatory 

requirements and industry best practices? 



40 

Does the records system provide the control 
processes necessary to ensure appropriate 
identification, legibility, storage, protection, 
archiving, retrieval, retention time, and 
disposition of records? 




(continued) 
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Component 2 -SAFETY RISK MANAGEMENT 

Element 2J - Hazard identification process 

41 

Does the service provider have a formal Safety 
Data Collection and Processing System 
(SDCPS) for effectively collecting information 
about hazards in operations? 



42 

Does the service provider’s SDCPS include a 
combination of reactive, proactive and predictive 
methods of safety data collection? 



43 

Does the service provider have reactive 
processes that provide for the capture of 
information relevant to Safety and Risk 
Management? 



44 

Has the service provider developed training 
relevant to reactive methods of safety data 
collection? 



45 

Has tire service provider developed 
communication relevant to reactive methods of 
safety data collection? 



46 

Is reactive reporting simple, accessible and 
commensurate with the size of the service 
provider? 



47 

Are reactive re pons reviewed at the appropriate 
level of management? 



48 

Is there a feedback process to notify contributors 
that their reports have been received and a 
process to share the results of the analysis? 



49 

Does the service provider have proactive 
processes that actively look for the identification 
of safety risks through the analysis of the 
organization’s activities? 



50 

Is training provided relevant to proactive 
methods of safety data collection? 



51 

Has the service provider developed 
communication processes relevant to proactive 
methods of safety data collection? 




(continued) 
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52 

Is proactive reporting simple, accessible and 
commensurate with the size of the service 
provider? 



53 

Does the service provider have predictive 
processes that provide the capture of system 
performance as they happen in real-time normal 
operations? 



54 

Is training provided relevant to predictive 
methods of safety data collection? 



55 

Has the service provider developed 
communication processes relevant to predictive 
methods of safety data collection? 



56 

Is the predictive safety data capture process 
simple, accessible and commensurate with the 
size of the service provider? 



Element 2,2 Risk assessment and mitigation process 

57 

Does the service provider's SMS documentation 
clearly articulate the relationship between 
hazards, consequences and risks? 



58 

Is there a structured process for the analysis of 
the risk associated with the consequences of 
identified hazards, expressed in terms of 
probability and severity of occurrences? 



59 

Are there criteria for assessing risks and 
establishing risk tolerability (i.e., the acceptable 
level of risk the organization is willing to 
accept)? 



60 

Does the service provider have risk mitigation 
strategies that include corrective/ preventive 
action plans to prevent the recurrence of 
reported occurrences and deficiencies? 



61 

Are corrective and preventive actions generated 
in response to event analysis? 




(continued) 
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Component N° 3 -SAFETY ASSURANCE 

Element 3.1 - Safety performance monitoring and measurement 

62 

Are regular and periodic planned reviews 
conducted regarding: 

-Company safety performance? 

-Internal audit reviews? 

-Hazard identification and occurrence 

investigations? 

-Hazard and occurrence analysis results? 
-Internal feedback analysis/results? 

-External feedback analysis/results? 

-Status of corrective actions? 

—Follow-up actions from previous management 
reviews? 

-Changes that could affect safely? 
-Recommendations for improvement? 

-Sharing of best practices across the 

organization? 



63 

Is there a process to evaluate the effectiveness of 
corrective actions? 



64 

Are safety repons reviewed at the appropriate 
level of management? 



65 

Is there a feedback process to notify contributors 
that their reports have been received, and to 
share the results of the analysis? 



66 

Is there a process in place to monitor and 
analyze trends? 



67 

Has the service provider implemented self- 
evaluation processes, such as regularly 
scheduled reviews, evaluations, surveys and 
audits? 



68 

Are corrective and preventive actions generated 
in response to hazard identification? 



69 

Are there procedures in place for the conduct of 
internal investigations? 



70 

Do measures exist that ensure all reported 
occurrences and deficiencies are investigated? 




(continued) 
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71 

Is there a process to ensure that occurrences and 
deficiencies reported are analyzed to identify all 
associated hazards 



72 

Are corrective and preventive actions generated 
in response to event investigations and risk 
analyses? 



73 

Does the service provider have a process for 
evaluating the effectiveness of the corrective/ 
preventive measures that have been developed? 



74 

Docs the service provider have a system to 
monitor the internal reporting process and the 
associated corrective actions? 



75 

Is there an audit function with the independence 
and authority required to carry out effective 
internal evaluations? 



76 

Does the audit system cover all functions, 
activities and organizations within the service 
provider? 



77 

Are audit scope, criteria, frequency and methods 
dearly defined? 



78 

Are there select ion/training processes to ensure 
the objectivity and competence of auditors as 
well as the impartiality of the audit process? 



79 

Is there a procedure for reporting audit results 
and maintaining records? 



80 

Is there a procedure outlining requirements for 
timely corrective and preventive action in 
response to audit results? 



81 

Is there a procedure to record verification of 
action(s) taken and for the reporting of 
verification results? 



82 

Does the service provider perform periodic 
management reviews of safely critical functions 
and relevant safety issues that arise from the 
internal evaluations? 



Element 3.2 - The management of change 

83 

Has the service provider developed and 
maintained a formal process for the management 
of change? 




(continued) 
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84 

Does the formal process for the management of 
change analyze changes to operations or key 
personnel regarding possible risks? 



85 

Docs the service provider identify changes 
within the organization which may affect 
established processes and services? 



86 

lias the service provider made arrangements to 
ensure the maintenance of safety performance 
prior to implementing changes? 



87 

1 las the service provider established a process to 
eliminate or modify safety risk controls that are 
no longer needed due to changes in the 
operational environment? 



Element 3.3 - Continuous improvement of the SMS 

88 

Docs the organization have a process for the 
proactive evaluation of facilities, equipment, 
documentation and procedures through audits 
and surveys? 



89 

Does the organization have a process for the 
proactive evaluation of individuals 5 

performances, to verify the fulfillment of their 
safety responsibilities? 



90 

Does the organization have a reactive process to 
verify the effectiveness of the system for control 
and mitigation of risks? 



Component N° 4 - SAFETY PROMOTION 

Element 4.1 - Training and education 

91 

Is there a documented process to identify 
training requirements so that personnel are 
trained and competent to perform the SMS 
duties? 



92 

Is the safety training appropriate to the 
individual’s involvement in the SMS 



93 

Is the safety training incorporated into 
indoctrination training upon employment? 



94 

Is there emergency response/contingency 

training for affected personnel? 



95 

Is there a process that measures the effectiveness 
of training? 




(continued) 
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Element 4.2 - Safety communication 

96 

Are there communication processes in place 
within the organization that permit the Safety 
Management System to function effectively? 



97 

Are communication processes (written, 
meetings, electronic, etc.) commensurate with 
the size and scope of the service provider? 



98 

Is information established and maintained in a 
suitable medium that provides direction 
regarding relevant SMS documents? 



99 

Is there a process for the dissemination of safety 
information throughout the organization and a 
means of monitoring the effectiveness of this 
process? 
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Appendix: Sample Safety Policy 


Our corporate culture focuses, in conjunction with corporate ethics, on the delivery of 
world class maintenance services. XY Maintenance provides valuable maintenance services 
for its customers in a safe, flexible, efficient and reliable way. We are committed to 
developing, implementing, maintaining and to constantly improving our processes and 
corporate strategy to ensure that all our maintenance activities are conducted using a 
balanced allocation of resources, aimed at achieving the highest level of safety 
performance and meeting national and international standards. 

All employees are accountable for the delivery of this highest level of safety performance, 
starting with the Accountable Executive. 

XY Maintenance's policy is to foster a generative safety culture of open reporting of all 
safety hazards where executive management will not initiate disciplinary action against 
any personnel who, in good faith, disclose a hazard or safety occurrence due to conduct 
not based on intention or gross negligence, 

We operate according to the following key principles: 

Safety is considered as the core value of the company 
Always operate in the safest manner practicable 
Never take unnecessary risks 
Safe does not mean riskfree 

Our commitment is to: 

1) Support the management of safety through the provision of appropriate human and 
financial resources that will result in an organizational culture that fosters safe 
practices, and which encourages effective safety reporting and communication; 

2) Implement and maintain a Safety Management System; 

3) Enforce the management of safety as one of the primary 
responsibilities of all responsible personnel; 

4) Actively manage safety with the same attention to results as financial 
management; 

5) Clearly define for all staff their accountabilities and responsibilities 
for the delivery of safety performance; 

6) Comply with, and wherever possible exceed, legislative and 
regulatory requirements and standards; 

7) Continually Improve our safety performance and conduct safety 
management reviews to ensure relevant safety action is taken and is effective; 

8) Ensure externally supplied systems and services that support our 
operations are delivered according to our safety performance standards. 
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Appendix: Master Risk List Examples 


Ref. 

Nil. 

Risk 

Identifier 

Risk description 

Probability 

Impact 

Financially 

Risk 

potential 

Total 

Priority 

I 

Lighting 

Missing or weak lighting on taxi ways 
or places at (iso airport leads to accidents 

3 

3 

9 

3 

2 

Obstacle 

clearance 

lluildings in the obstacle clearance area 
cannot be removed/prevented due to 
lack of expropriation rights 

3 

3 

9 

4 

3 

Static tests 

Accidents as a result of static engine 
tcsLs 

3 

3 

9 

7 

4 

Aircraft 

Accident 

Accident of scheduled or chartered A/C 

2 

5 

10 

2 

5 

Attacks 

Sabotage or Terror attacks 

2 

5 

10 

1 

6 

Market risks 

Higher costs/ lower revenues 

3 

3 

9 

8 

7 

A/C stairs 

Accident of a disembarking pax on 
inoperable stairs 

3 

3 

9 

6 

S 

Fuel mix ups 

Refueling the wrong fuel 

2 

4 

8 

9 

9 

Towing risk 

Accidents while lowing large A/C or 
with parked A/C 

3 

3 

9 

5 

10 

Helipad 

Helicopter collides with lank system 
causing an explosion 

2 

4 

8 

12 

11 

Water 

Insufficient water drainage on RWY and 
Taxi way 

2 

3 

6 

18 

12 

hire lighters 

In the case of an accident not enough 
personnel or mater lal available in 
accordance with regulations 

2 

4 

8 

15 

13 

Animals 

Accidents because of animals on the 

RWY 

2 

4 

8 

11 

14 

Personnel 

bottlenecks 

Absence of employees without 
substitution or without license, leads to 
business interruption 

3 

2 

6 

17 

15 

hire 

hire in the administrative building, 
terminal or hangar 

2 

4 

8 

13 

16 

KWY surface 

condition 

Accident due So poorly maintained 
RWY surface 

2 

4 

8 

16 

17 

BAZL 

regulations 

Noncomp ha nee with RAZ1 .-regulations 
leads So official limitations or accidents 

2 

4 

8 

14 

IS 

l ank system 

Lx plosion of the tank system 

2 

4 

8 

10 


(continued) 
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Dec 2012 


Inn 2012 





Seventy: l=low, 

5-high 


Risk level 


Risk level 
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-X 

at 

E 

■ 

(2 

I 

£ 

£ 

IS 

m 

J 

£ 

□. 

■x 

* 

a 

Measures 

Responsible 

Person 

1 




1 

1 

5 

□ 

1 

2 

10 



2 




3 

4 

12 

□ 

3 

4 

12 



3 




4 

3 

12 

□ 

4 

3 

12 



4 




1 

1 

1 

n 

5 

1 

5 



s 




3 

2 

6 

□ 

3 

2 

6 



6 




3 

2 

6 

□ 

3 

2 




7 




1 

1 

T" 

□ 

1 

1 

s 
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Appendix: ASR/Hazard Reporting Procedure 



Yes, immediately 


INITIATION OF RISK 
MITIGATION MEASURES 


ENHANCED SAFETY 
PERFORMANCE 


DISCUSSION IN THE 
SAFETY ACTION 
GROUP 
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Appendix: Sample Air Safety Report 


Air Safety Report and Hazard identification 


Pilot in command 

^Flying 

□ 

Monitoring 

Second in command 

Other Crewmemberfsl 

Date of Event: 

23.04.2013 

Time (UTC): 

21:45 

O ep-A rr/D i v e rsi o n 

Dep 


Important Notice! The detail* in this grey shaded area are optional. Independent of this, the report 
will be made anonymously and the data will not be forwarded! Nevertheless, personal data should be 

stated for further enquiry. 


Sub iect/e vent 


Abnormal 

CRM 

Emergency 

Pax/Cargo 

ATC 

Operating 

practices 

Airport 

Security 

Flight 

planning 

SOP 

Charts, Maps, 
Nav 

Dispatch 

GA 

Ground 

Handling 

Technical 

Weather 


IAS/MACH: I5 Q kts Altitude: 3000 ft Fuel ilhsh 3000 

No. Crew/pax: 2 _ Runway: 13 Geographical position : Above R W 


Time of day: 

Day 

Night 


Aircraft: 

HB-XXX 

HB-XXX 

HB-XXX 

HB-XXX 

HB-XXX 

Flight phase: 

Parked 

Towing 

Taxi 

Take off 

Climb 

Cruise 

Descent 

Holding 

Approach 

Go-Arouud 

Landing 

Other 


A/C configuration; 

Auto-Pi lot 

Auto-Throttle 

Gear 

Flaps 

Speed brakes | 

Runway slate: 

Slush 

Snow 

Dry 

Wet 


Weather: 

Snow 

Rain 

Icing 

Fog 

Turbulence | 

Hail 

W ind shear 

Clear 

Thunderstorms 


Visibility: 

more than HI km 

5 km - 10 km 

1 km — 5 km 

Dense fog less 
than 1 km 

Temperature: 

-3ll°C to -ld°C 

-9°C to 10°C 

11°C to 16°C 

17°C to 25°C 

26°C to 30°C | 

31°C to 4(1° C 



Short description; ^Hazard 

During takeoff* as the aircraft was climbing, at an altitude of approximately 2000 ft, the right hand 
engine (engine 2) ingested a bird; the flight crew immediately shut it down and returned for landing. No 
one on board was injured and the aircraft landed safely. The right engine suffered heavy damage. 
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Appendix: Safety Manager Evaluation Sheet 


TO SE COMPLETED BY THE SAFETY MANAGER 


The report has been identified and entered into the company database 


Signature:__ Date: xx.xx.xxxx 


Rate the probability of the hazard recurring 


Often 



Practically impossible 

5 4 

3 

2 

1 

Rate the worst-case severity 




Disaster 



Insignificant 

5 4 

3 

2 

1 


What action is required to eliminate or control the hazard and prevent injury? 

Raise awareness of flight crews operating at that airport, additional training regarding emerge 
procedures. 

Report incident to airport, harmonize with other operators and request measures from the airp 

Required resources: 

Responsibility for action: 

Appropriate feedback given to staff. 

Signed______________ Date _ 
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Appendix: SWANS Report 46 


In order to submit a report, please complete the online form below. Alternatively, 
you can download the Snapform version, which can be sent by mail or fax to the 
SWANS address. Complaints raised against third persons will not be filed by means 
of SWANS, they have to be reported to FOCA via the ordinary recourse. Neverthe¬ 
less, should a complaint against a third person be filed by means of SWANS, the 
person filing the complaint has to take into account that his/her personal data could 
be disclosed to the accused person in the course of his/her right of access to records. 

Top of Form 


URL Homepage (do not fill please) 

Date & time of the occurrence (*) 
Location oft lie occurrence (*) 

Aircraft type/ immatriculation 
Occurrence reported lo other parties? {*) 
IF yes. to whom? 


Occurrence description (*) 


Possible causes of the occurrence? 


What could be done to avoid such an occurrence? 


1 

3 

3 


Last & First Name 

Company 

Street 

Postal code/City 
Phone Number 
Fax Number 
E-Mail 

Please, till out all mandatory Helds (*) 


46 


Bundesamt fur Zivilluftfahrt (BAZL) (2007). 
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Appendix: ERP Checklist Emergency Director 
Emergency Director 



Name 

Department 

Responsibilities 

Duty 

Phone 

Fax 

Mobile Phone 

Private 

Phone 

1 







2 








No 

ACTIVITIES 

WORK 

performed 

TO DO / INFO 

Item completed? 
TIME / DATE/3LC 

Comments 

1 

Alerting Emergency Director of 
corresponding Operator 





2 

Gain clearance for releasing 
Telephone Enquiry Center Hotline 
and forward it to Press Office 






Obtain feedback about the arrival 

of the members of the crisis team 





a 

Arrange time for initial briefing 





5 

Initial briefing in the Emergency 
Operation Center 

• Current Information 

• Coordination of further steps 

• Care (Pax, Crew, NOK) 

* C am mu n icatIon (1 nternal, extern a 1) 

* Data protection 

* Fieldwork / Field Team 

• Mai nten a n ce of ope rat Eo n 

* Open issues 





6 

Logging of events in the Emergency 
Log 





7 

Obtain contacts from the site of 

accident from Ground Ops 





3 

Establish contact with the 

Investigator in Charge 





9 

Request additional information 

* Pax condition 

* Crew condition 

* A/C condition 





10 

Secure original business 

documentation, documentation of 






(continued) 
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A/C relevant audit reports, etc. 





11 

Exchange of information with 
Investigator in Charge: 

• Matching of pax data 

• Supply of necessary data and 
information 





12 

Information exchange with 

corresponding operator (broker) 

* Contact Special Assistance Team 

* Match pax data 

* Press activities 





13 

Information exchange with local 
authorities 

* Supply of necessary data and 
information 





14 

Check, whether notification of Civil 
Aviation Authorities has already 
occurred, respectively initiate 
notification via form [refer to 
"Forms") 






Appendix: Individual Risk Assessment Example 

RISK MANAGEMENT SAMPLE COMPANY 

Individual Risk Assessment 

Risk No. 9 Exchange rate development 


Introduction 

As part of the Risk Management of the sample company, all potential sources of 
risk in relation to existence, operation and development of the company are 
systematically recorded and analyzed. The recognized and relevant risks are 
assessed according to standard criteria regarding financial scope, frequency of 
occurrence and severity. The resulting risks are then entered into a Master Risk 
List according to their priority and risk factor. This is the basis for the individual 
risk assessment in which the significant risks are presented and mitigation measures 
are proposed to reduce the level of risk. 

Starting point: No. 9 Exchange rate risk developments 
• Changes in exchange rates might not only affect income and costs, but also the 
assets and liabilities of the sample company extremely unfavorably. The sample 
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company invoices in the following currencies: CHF, EUR, USD and YEN. As an 
exporter, the strength of CHF in recent years is, in the view of the sample 
company, no advantage. 

• For several years, the sample company has assured the currencies CHF, EUR 
and USD, but not YEN, with instruments at the UBS against downward trends, 
with the aim of planning security. The corresponding operating margin is 
described in the mandatory foreign currency directive of October 3rd in 2013. 

• For a natural hedging, the possibilities for the sample company are low, e.g. no 
production facility in the USD or YEN-area, limited ability to pay suppliers and 
employees in EUR. 

Risk No, 9 Exchange rate development 


Risk owner 

CFO Karl Muster 

Probability 

Development (gradual) □ □ 13 □ Event (unexpected) 

Risk area 

Finance 

Hazard 

Market prices (Master Risk List item 6.2) 

Cause or the risk 

Negative exchange rate developments 

Dec 1 i n mg sa les prices for del i vcrics abroad (ex port) 

Decline in international business because foreign competitors can offer 

more price-favorable products (arbitrage) 

Lack of currency risk hedging 

Rising inflation 


Goals 

Procedure / Action item 

□ Avoid risk 

0 Mitigate risk 

□ Accept risk 

Early warning indicators 

- Exchange rates of bank s, et c. 

Reduction of frequency 

- I mplcinentation of t he foreign currency direct i ve 

Reduction of severity 

- Ongoing completion of foreign currency exchange contracts in accordance 

with foreign currency guidelines 

- Limi t hold t ngs of unhedged currencies 

- Prevent opportunities for speculation with ctureucies, financial instruments. 

etc, 

- No additional build-up of exchange rate risks with medium and long-term 

investment in securities 


(continued) 
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Risk No, 9 Exchange rate development 


Measure 

Responsible 

Deadline 

Status 


Person 




Completed measures 




Creating a foreign currency policy 

John Doe 

30.06.2010 

Completed 

Check, if ihc YEN currency should also be hedged 

John Doc 

30.09.2011 

Completed 


Pending actions 




Use of hedging instruments at UBS in Zurich 

John Doe 

31.12.2014 

In progress 

Regular assessment of the currency positions relative 

to price limits and stocks (a currency may not exceed 

a certain amount) 

John Doe 

31 12 2014 

In progress 

Waiver of financial instruments and systems that 

include additional currency risks 

John Doe 

30.06.2014 

In progress 

Annual review of pricing arrangements with our 

subsidiaries regarding cunency surcharge or 

markdown 

John Doe 

31 12,2014 

In progress 

Check if a group-w ide cash pooling could be useful 

and practical 

John Doe 

31.03 2014 

In progress 


Appendix: Risk Management Policy 

NEW AIRLINE LTD. 

RISK POLICY 


Table of Contents 

PRINCIPLES OF RISK MANAGEMENT 

Concept of the Risk Management 
Purpose of the Risk Management 
Strategy of the Risk Management 
Annual Briefings 
Risk Management Organization 
Roles and Responsibilities 
RISK MANAGEMENT PROCESS 
Process Phases 
Overview of the Process 


(continued) 
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(continued) 

RISK MANAGEMENT GUIDELINES 

Phase 0: Preparation 

Phase 1: Risk Identification 

Phase 2: Risk Assessment 

Step 1: Risk Consolidation and Classification 

Step 2: Risk Prioritization 

Phase 3: Risk Measures 

Phase 4: Risk Re-Mapping 

Phase 5: Reporting 

FINAL PROVISIONS 

Entry into Force 

Changes and Amendments 


PRINCIPLES OF RISK MANAGEMENT 
Concept of the Risk Management 

The Risk Management (RM) of New Airline Ltd. is a task of the Executive 
Management and is monitored by the Board of Directors, forming an enterprise¬ 
wide strategic framework. It is designed to identify potential events that could have 
a substantial negative impact on the company. Its aim is to control risks and to 
ensure an adequate level of certainty in relation to the achievement of corporate 
goals. With the early identification of risks associated with the scope of the different 
departments, corporate safety should be increased. The RM of New Airline Ltd. is 
embedded into the existing management processes of the company and should not 
be a parallel organization in itself. 

Purpose of the Risk Management 

The main objective of the Risk Management is to provide the Board of Directors 
(BoD) and the Executive Management (EM) with a complete and continuously 
updated corporate risk overview. Based on this, the most important risks can then 
be systematically processed according to their potential and be mitigated as far as 
possible. The main objectives include: 

• Coordination of strategy, Risk Management and internal controls 

• Optimization of decisions in response to risks 

• Improvement of the reliability of forecasts 

• Identification and control of enterprise-wide risks 

• Improvement of risk awareness throughout the company 

• Standardization of procedures and the Risk Management language at the corpo¬ 
rate level 

• Annual preparation of a Top Risks List, which is then applied across 
corresponding departments 

• Provision of adequate insurance coverage 
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• Ensuring that the internal control system (ICS) is continuously implemented and 
optimized as far as possible. 

Strategy of the Risk Management 

Risk factors that may impact the ability of the company to reach its strategic 
objectives are detected and analyzed. The Board and Executive Management of 
New Airline Ltd. are convinced that risks are always associated with opportunities. 
Calculated risk-taking is essential for the growth of our company. Each employee 
should be aware of the strategic direction of New Airline Ltd. and work to achieve 
these goals by taking reasonable steps, outlined below, in order to effectively 
manage risks and opportunities. 

The strategy of New Airline Ltd. is based on the following vision: 

1. Take advantage of the growth opportunities in Switzerland through well-chosen 
market segments and service solutions 

2. Market leadership in the aviation sector in Switzerland with the label Swiss 
Made 

3. Expansion of transportation services by offering state of the art transportation 
services in a global network 

Annual Briefings 

The Board of Directors has to discuss the risk environment and the related risk 
exposure of New Airline Ltd. with the Executive Management at least once per 
annum. The findings are included in the risks list and measures. Ways to address 
and mitigate them are presented. 

Risk Management Organization 

At New Airline Ltd., the Board of Directors has the overall responsibility for 
Risk Management. The board may seek advice from an advisory board, if such is 
established and needed. In line with the law, and based on company regulations, 
the Board delegates the implementation of Risk Management to the Executive 
Management. The EM is assisted by the Risk Manager. He/she carries out 
activities on behalf of the EM and reports to them. In the case of urgent risks 
or if there is a concern that these risks are not adequately perceived and/or 
covered, the Risk Manager can directly communicate with the Chairman of the 
Board. 
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Board of Directors | 



Roles and Responsibilities 

Board of Directors (BoD) 

• Definition of the risk management organization 

• Defining the risk management processes 

• Defining the risk management policy and the adoption of the policy 

• Ensuring the effective implementation of the risk management organization, risk 
management policy and risk management processes 

• Taking overall responsibility for Risk Management 

Executive Management (EM) 

• Management of all risk factors within the strategic, operational and financial 
framework to mitigate and to reduce risks 

• Provide timely and accurate information about the risks that the company faces, 
as well as steps taken to ensure their effectiveness 

• Responsible for the implementation and coordination of the Risk Management 

• Coordination of information flow and documentation relating to the Risk 
Management 

• Conduct sampling to ensure that all risks are identified, analyzed and, if neces¬ 
sary, a single risk assessment is carried out and appropriate risk-mitigating 
measures are defined 

Risk Manager 

• Preparation of annual risk analysis (as part of the annual SWOT analysis) for 
submission to EM and BoD 

• Preparation of the definition of risk-mitigating measures for submission to EM 
and BoD, as well as monitoring the implementation of the risk-mitigating 
measures 

• Quarterly reporting to the EM on the development of key risks and the level of 
risk-mitigating measures (risk radar as part of the quarterly reporting) 

• Annual report on Risk Management to the BoD 

• Coordination of the risk management function with measures of the ICS 

• Ongoing identification, definition of proposed measures and reporting of signifi¬ 
cant changes in the risk environment 

• Preparation of the annual insurance overview 
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• Ensuring that all employees are also questioned about new or worsened risks in 
connection with the annual staff performance review 
Risk Management is the responsibility of everyone in the company, including 
management and employees, and is therefore explicitly or implicitly part of the 
job description of every member of the company. In order to allow a proper 
application of that responsibility by all employees, the relevant risk management 
information will be published with access for all employees through the intranet. 


RISK MANAGEMENT PROCESS 
Process Phases 

The overall process of risk identification, risk assessment, risk measures, risk 
re-allocation and reporting in the strategic environment should be carried out 
annually. In the case of unforeseen and extraordinary events, these processes can 
occur more frequently. 

Six phases of the Risk Management process: 

Phase 0: Preparation 
Phase 1: Risk Identification 
Phase 2: Risk Assessment 
Phase 3: Risk Measures 
Phase 4: Risk Re-allocation 
Phase 5: Reporting 
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Overview of the Process 



The RM process is standardized across the whole company. The Executive 
Management undertakes all the necessary efforts to raise the awareness of Risk 
Management amongst employees on every level. 


RISK MANAGEMENT GUIDELINES 
Phase 0: Preparation 



The preparation phase is a long-term process and is not performed on an annual 
basis. It takes place over a longer period of time, and is modified and amended with 
changes in strategy, in cases of extraordinary events or when new information 
becomes available. This phase includes the following tasks 

• Set up of the Risk Management Organization 

• Establishment of Risk Management Processes 

• Establishment of the Risk Management Policy 

• Set up of Risk Management Guidelines 
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Milestone 0: Set up of the Risk Management Organization, approve the Risk 
Management Policy, implement Risk Management Processes and adopt the Risk 
Management Guidelines. As a result, the Risk Policy is adopted or revised by the 
Board of Directors. 

Phase 1: Risk Identification 

In this phase, all risks that confront New Airline Ltd. are identified. A risk is an 
incident or event that arises from either internal or external sources and could have 
an impact on the implementation of a strategy or the achievement of objectives. 
Risks can have either positive or negative effects; however, the focus of risk 
management activities at New Airline Ltd. is on negative events. At this stage, 
the Executive Management identifies and monitors all potential events, even if 
these events have a low probability of occurrence. This is especially relevant if the 
potential impact on the achievement of important objectives is high. 

In order to capture all relevant risks, not just the BoD and EM members are 
interviewed by the Risk Manager. All the employees of New Airline Ltd. have to be 
questioned about possible risks, using a standardized questionnaire. Subsequently, 
this survey can be conducted in conjunction with the annual employee performance 
review. 

Milestone 1: After the implementation of the risk management process all 
employees, as part of their annual employee performance review, are interviewed 
about possible new or worsened risks. 

Phase 2: Risk Assessment 

Step 1: Risk Consolidation and Classification 

All identified risks are first consolidated by an interdisciplinary team composed by 
the EM, and under the direction of the Risk Manager. Similar risks will be clustered 
and risks without a relevant damage potential will be deleted. The risks are 
classified into the following three categories: strategic risks, operational risks and 
financial risks. 

Strategic risks: all risks that endanger the existence or continuation of the 
company or which may cause the company to go into liquidation/insolvency are 
classified as strategic risks. In general, these risks relate to the long-term success 
and viability of the company. These include: 

• Risks which arise from disasters or force majeure situations including service 
disruptions caused by natural disasters, uncertainties, service liabilities, etc. 

• Environmental risks: Strong competitors negatively affecting the business. 
Incorrect, untimely or unavailable information about competitors/rivals and 
their products could have an adverse impact on the business. 

• Management risks: In addition to having an appropriate organization, manage¬ 
ment style is one of the crucial preconditions for the success or failure of a 
company. Lack of leadership (unclear instructions, unclear responsibilities) may 
represent a risk to a company, such as overdependence on leading executives. 
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• Risks related to stakeholders: Ensure that the company is focused on the needs 
and aspirations of all stakeholders, including shareholders and business partners, 
authorities, suppliers and society in general. 

Operational risks: Operational risks are those risks that threaten strategic goals 
due to inappropriate or lack of internal processes, people or systems. In general, 
these risks are short or medium-term risks and include the following: 

• Process risks: Risks that relate to the customer value proposition process in the 
company. 

• Operational risks: Risks that arise in the daily operation, such as insufficient 
resources, quality problems, illness, accidents, miscalculations, maintenance 
deficiencies, etc. 

• Credit risks: Risks associated with the failure of important equipment for 
operations such as failure of the necessary IT infrastructure, etc. 

• People and cultural risks: Risks that arise as a result of years of corporate culture 
development and the people that live and work in this culture. There are several 
categories of such risks, and they may take the form of resources, know-how and 
skills, motivation, integrity, compensation, performance, relationship with trade 
unions and legal problems. 

• Legal risks: Potential for losses arising from the uncertainty of future regulations 
or legal processes, such as outcomes of litigation, bankruptcy, etc. 

Financial risks: Risks that have purely financial implications for the company 

(short or long term) fall in this category, for example: 

• Market risks: The possibility of losses arising from adverse changes in market 
prices and rates, including commodity prices, interest rates and exchange rates. 

• Liquidity and credit risks: Liquidity risk describes a situation in which one party 
is not able to meet liabilities and debt obligations at a certain point in time. This 
may affect collection, management of liquid assets, hedging and financing. 

• Taxes, regulations and accounting: The accounts are subject to a thorough 
examination and may be subject to substantial risks in light of existing lawsuits 
and legal measures. 

• Capital structure: The company does not have sufficient/optimal capital, 
resulting in higher capital costs, lower profitability and a reduction in cash 
flow and liquidity. 

Step 2: Risk Prioritization 

A workshop should be organized in order to prioritize risks in the master risks list. 
Members of Executive Management from selected departments and an external 
advisor all take part in this workshop. The idea is to encourage an open dialogue 
about risks. 

All identified risks are analyzed based on a risk priority number (RPN), which is 
based on two criteria and a weighting on a scale of 1-5. The criteria are defined as: 

• The impact or severity of the event (effect of risk in financial terms) 

• Probability of occurrence (frequency with which these risks occur) 

The risk priority number (RPN) is obtained with the multiplication of the two 
risk factors. The lowest RPN is therefore 1 and the highest 25. Part of the risk 
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assessment is also to determine whether a risk has a relevant lead time. This is 
considered as a surprise factor which is accounted for with the risk factor of — 1. 
The prioritization is made in the master risk list based on the determined RPN. 

The master risk list should be treated as confidential by all employees. However, 
it may be required to present it to insurance brokers and insurance experts in 
connection with the annual insurance verification. The matrix to determine the 
RPN is shown graphically below. 


Disaster 

>50M CHF 

5 



Critical 

>5 < 50M CHF 

4 

8 



Moderate 

>0,5 < 5M CHF 

3 

6 

9 



Low 

>0,05 < 0,5M 

CHF 

2 

4 

6 

8 

5 

Insignificant 

< 0,05M CHF 

1 

2 

3 

4 


Criteria 

< 1 per 100 
years 

> 1 per 

100 years 
< 1 per 10 
years 

> 1 per 10 
years 

< 1 per 1 
year 

>1 per year 
<1 per month 

> 1 per 

month 

Severitv^^ 

^^Probability 


Practically 

impossible 

Unlikely 

Possible 

Occasional 

Often 


Zone 1 
Zone 3 
Zone 4 


Risk is not acceptable, immediate measures for risk mitigation required 
Tolerable risk, evaluate measures for risk mitigation 
Acceptable risk, no measures required 


Potential risks of more than ten RPN, according to the risk assessment, are the 
main risks (Top Risks) of New Airline Ltd. These risks have top priority for the 
following reasons: 

• To keep the directed attention on the selected issues 

• To allocate the available resources, human capital and finances efficiently. 

• To assign risk owner(s) to each top risk 

Milestone 2: Identification, development and mapping of the most important 
risks (Top Risks). 

Phase 3: Risk Measures 

The measures for each of the key risks (Top Risks) are defined in a so-called 
individual risk assessment. The analysis includes: 

• The complete scenario of the risk occurrence 

• Drivers of the risk 

• The connection of this risk to other risks 

• Quantification of risk (intelligent estimate) 

• Identification of the “need for action” and definition of the necessary risk- 
mitigating measures 

The detailed analysis must then be discussed with the Executive Management. 
Each risk is monitored by the Risk Manager along the following points: 
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• Clear and achievable goals and benchmarks 

• Detailed planning process, including clear deadlines, important milestones and 
cost-benefit analysis 

• Definition of Key Performance Indicators (KPIs) or Standards 

• A clearly defined methodology 

• Clear allocation of resources 

Milestone 3: The measures for handling risks are defined, the action plan is 
prepared and persons responsible for each of the top most important risks are 
appointed. 

Phase 4: Risk Re-Mapping 

The action plan for responding to a particular risk is set in a specific, corresponding 
project. The risk mapping should be updated in the second quarter of each year, 
along with trends in the risks in the Top Risks List and the effectiveness of 
responses to these risks. The re-mapping is important for the following reasons: 

• To keep the development of risk scenarios in mind 

• The review of the effectiveness of measures for handling risks 

• To control the risk management process 

To ensure an accurate and complete understanding of all the potential risks, 
periodic surveys of all employees are conducted (as part of the annual performance 
review) to obtain their risk assessment. Where possible, the risk re-mapping should 
be made by a multidisciplinary team. 

Milestone 4: The individual risk assessments are continually processed by the 
respective risk owners in coordination with the Risk Manager. 

Phase 5: Reporting 

The reporting is prepared by the Risk Manager and the monitoring of the risk 
management process is documented as follows: 

• Quarterly reporting to the EM concerning the major risks 

• Annual reporting of all risks according to the master risk list and the activities of 
the Risk Manager to the BoD 

• Annual update of all documents relating to the Risk Management 

In order to be able to update the Risk Management and reporting to the latest 
development standards, the Risk Manager should attend relevant training in con¬ 
sultation with the EM. 

Milestone 5: Regular updates and reports on the follow up process, the effec¬ 
tiveness of risk responses and proposals for the next cycle. 


FINAL PROVISIONS 
Entry into Force 

With the resolution of the Board, this risk policy will be active with immediate 
effect and replaces all previous provisions for risk management within New 
Airline Ltd. 
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Changes and Amendments 

This risk policy has to be reviewed at least every four years and has to be amended 
if necessary. 

Zurich, 1 April 2013 

Chairman of the Board of Directors: Board secretary: 


Appendix: Steps in Assessing Risk 

According to Kaplan and Garrick (1981), pp. 11-27: 

What can happen, how likely is it, that it will happen and if it does happen, what are the 
consequences? 

According to Suddle and Waarts (2003): 

1. Probability of undesired consequence. 

2. Seriousness of (maximum) possible undesired consequence. 

3. Multi-attribute weighted sum of components of possible undesired 
consequence. 

4. Probability x seriousness of undesired consequence (“expected loss”). 

5. Probability-weighted sum of all possible undesired consequences (“average 
expected loss”). 

6. Fitted function through graph of points relating probability to extent of unde¬ 
sired consequences. 

7. Semi-variance of possible undesired consequences regarding their average. 

8. Variance of all possible undesired consequences regarding mean 
consequences. 

9. Weighted sum of expected value and variance of all possible consequences. 

10. Weighted combination of various parameters of the probability distribution of 
all possible consequences (encompasses 8 and 9). 

11. Weight of possible undesired consequences (“loss”) relative to comparable 
possible desired consequences (“gain”) 
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Appendix: Insurance Review 


l, I s thei tisura nee coverage complete? 


Insurance 

Insurer 

In sura nee coverage 

Insurance term 

Public Liability Insurance 




Insurance of property 




Aircraft Insurance 




Personal Accident Insurance 




Comprehensive Aircraft Insurance 




Motor Vehicle Insurance 




Accident Insurance 




Collective Accident Insurance 




Sick-pAy Insurance 




Loss-of-usc Insurance 




Operating Legal expenses Insurance 




Special Insurance (incase of blackmail) 





Are all risks avsucialftl uillt ihe master risk list Luvrred by insurance? 

□ Vcs 

□ No 

Measures’. . .... ... ... .. ... 

3. Arc I lie risks insured to a significant degree? 

a Yes 

□ No 

Measures' 31 . 

4. Is (he tine of (he insurance coverage long enough? 

B Yes 

□ No 

Measures?.„.... 

5. Risks are mil insured lv>ice? 

□ Yes 
o No 

Measure**’. ... .. .. . ..... ... ..... .. ... . . ,, ., ,. .. .. .. .. 

6. W as (lie kgal standard adhered to iu eonucciiou with legal risks? 

□ Yes 

□ No 

Measures? ...... 

7. Is (here a u ri tEen assessment by the iusu ranee broker as ail a hie? 
a Yes 

o No 

Measures?..... 


(continued) 
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